From: Tobias Brunner <tobias@strongswan.org>
Date: Wed, 15 Nov 2023 16:01:02 +0000 (+0100)
Subject: x509: Also encode extendedKeyUsage in cert requests if there are no SANs or certifica... 
X-Git-Tag: 5.9.12~4
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ba08e01b86d0cec7e936821632abae748048b024;p=thirdparty%2Fstrongswan.git

x509: Also encode extendedKeyUsage in cert requests if there are no SANs or certificate type

Probably never was an issue in practice as most certificates contain at
least one SAN.
---

diff --git a/src/libstrongswan/plugins/x509/x509_pkcs10.c b/src/libstrongswan/plugins/x509/x509_pkcs10.c
index dcf431ea83..d3e6104ae1 100644
--- a/src/libstrongswan/plugins/x509/x509_pkcs10.c
+++ b/src/libstrongswan/plugins/x509/x509_pkcs10.c
@@ -337,7 +337,7 @@ static bool generate(private_x509_pkcs10_t *cert, private_key_t *sign_key,
 	extendedKeyUsage = x509_generate_eku_extension(cert->flags);
 
 	/* encode extensionRequest attribute */
-	if (subjectAltNames.ptr || certTypeExt.ptr)
+	if (subjectAltNames.ptr || certTypeExt.ptr || extendedKeyUsage.ptr)
 	{
 		extensionRequest = asn1_wrap(ASN1_SEQUENCE, "mm",
 				asn1_build_known_oid(OID_EXTENSION_REQUEST),