openssl: parse X.509 extended key usage from extension parsing loop
authorMartin Willi <martin@revosec.ch>
Tue, 30 Apr 2013 09:55:38 +0000 (11:55 +0200)
committerMartin Willi <martin@revosec.ch>
Thu, 18 Jul 2013 10:17:53 +0000 (12:17 +0200)
Otherwise parsing gets aborted if unknown critical extensions are handled as
error.

src/libstrongswan/plugins/openssl/openssl_x509.c

index f15f511..24b12d5 100644 (file)
@@ -679,6 +679,41 @@ static bool parse_keyUsage_ext(private_openssl_x509_t *this,
 }
 
 /**
+ * Parse ExtendedKeyUsage
+ */
+static bool parse_extKeyUsage_ext(private_openssl_x509_t *this,
+                                                                 X509_EXTENSION *ext)
+{
+       EXTENDED_KEY_USAGE *usage;
+       int i;
+
+       usage = X509V3_EXT_d2i(ext);
+       if (usage)
+       {
+               for (i = 0; i < sk_ASN1_OBJECT_num(usage); i++)
+               {
+                       switch (OBJ_obj2nid(sk_ASN1_OBJECT_value(usage, i)))
+                       {
+                               case NID_server_auth:
+                                       this->flags |= X509_SERVER_AUTH;
+                                       break;
+                               case NID_client_auth:
+                                       this->flags |= X509_CLIENT_AUTH;
+                                       break;
+                               case NID_OCSP_sign:
+                                       this->flags |= X509_OCSP_SIGNER;
+                                       break;
+                               default:
+                                       break;
+                       }
+               }
+               sk_ASN1_OBJECT_pop_free(usage, ASN1_OBJECT_free);
+               return TRUE;
+       }
+       return FALSE;
+}
+
+/**
  * Parse CRL distribution points
  */
 static bool parse_crlDistributionPoints_ext(private_openssl_x509_t *this,
@@ -963,6 +998,9 @@ static bool parse_extensions(private_openssl_x509_t *this)
                                case NID_key_usage:
                                        ok = parse_keyUsage_ext(this, ext);
                                        break;
+                               case NID_ext_key_usage:
+                                       ok = parse_extKeyUsage_ext(this, ext);
+                                       break;
                                case NID_crl_distribution_points:
                                        ok = parse_crlDistributionPoints_ext(this, ext);
                                        break;
@@ -996,38 +1034,6 @@ static bool parse_extensions(private_openssl_x509_t *this)
 }
 
 /**
- * Parse ExtendedKeyUsage
- */
-static void parse_extKeyUsage(private_openssl_x509_t *this)
-{
-       EXTENDED_KEY_USAGE *usage;
-       int i;
-
-       usage = X509_get_ext_d2i(this->x509, NID_ext_key_usage, NULL, NULL);
-       if (usage)
-       {
-               for (i = 0; i < sk_ASN1_OBJECT_num(usage); i++)
-               {
-                       switch (OBJ_obj2nid(sk_ASN1_OBJECT_value(usage, i)))
-                       {
-                               case NID_server_auth:
-                                       this->flags |= X509_SERVER_AUTH;
-                                       break;
-                               case NID_client_auth:
-                                       this->flags |= X509_CLIENT_AUTH;
-                                       break;
-                               case NID_OCSP_sign:
-                                       this->flags |= X509_OCSP_SIGNER;
-                                       break;
-                               default:
-                                       break;
-                       }
-               }
-               sk_ASN1_OBJECT_pop_free(usage, ASN1_OBJECT_free);
-       }
-}
-
-/**
  * Parse a DER encoded x509 certificate
  */
 static bool parse_certificate(private_openssl_x509_t *this)
@@ -1093,7 +1099,6 @@ static bool parse_certificate(private_openssl_x509_t *this)
        {
                return FALSE;
        }
-       parse_extKeyUsage(this);
 
        hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
        if (!hasher || !hasher->allocate_hash(hasher, this->encoding, &this->hash))