x509: Ensure extensions are encoded even if others are missing

As with the previous commit, this is probably never an issue in practice
as most certificates contain at least one SAN.

diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 592a96d9d9b022c75f858b123ab7cf9fc0c5d9cf..4c7c156ad9e39616af12e8f8c4b1d7ec98dff8b2 100644 (file)
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -2635,8 +2635,12 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
                                        asn1_simple_object(ASN1_OCTET_STRING, chunk_empty));
        }
 
-       if (basicConstraints.ptr || subjectAltNames.ptr || authKeyIdentifier.ptr ||
-               crlDistributionPoints.ptr || nameConstraints.ptr || ipAddrBlocks.ptr)
+       if (basicConstraints.ptr || keyUsage.ptr || subjectKeyIdentifier.ptr ||
+               authKeyIdentifier.ptr || subjectAltNames.ptr || extendedKeyUsage.ptr ||
+               crlDistributionPoints.ptr || authorityInfoAccess.ptr ||
+               nameConstraints.ptr || certPolicies.ptr || policyMappings.ptr ||
+               policyConstraints.ptr || inhibitAnyPolicy.ptr || ipAddrBlocks.ptr ||
+               criticalExtension.ptr)
        {
                extensions = asn1_wrap(ASN1_CONTEXT_C_3, "m",
                                                asn1_wrap(ASN1_SEQUENCE, "mmmmmmmmmmmmmmm",