x509: Add flag that marks compliance with RFC 4945

According to RFC 4945, section 5.1.3.2, a certificate for IKE must
either not contain the keyUsage extension, or, if it does, have at least
one of the digitalSignature or nonReputiation bits set.

diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h
index 2c640e2da38f24e453e4308572148d371a246148..3f8af31061f3bd1ca5db809c09aef0a8e8d248ab 100644 (file)
--- a/src/libstrongswan/credentials/certificates/x509.h
+++ b/src/libstrongswan/credentials/certificates/x509.h
@@ -62,6 +62,9 @@ enum x509_flag_t {
        X509_IKE_INTERMEDIATE =   (1<<8),
        /** cert has Microsoft Smartcard Logon usage */
        X509_MS_SMARTCARD_LOGON = (1<<9),
+       /** cert either lacks keyUsage bits, or includes either digitalSignature
+        *  or nonRepudiation as per RFC 4945, section 5.1.3.2. */
+       X509_IKE_COMPLIANT =      (1<<10),
 };
 
 extern enum_name_t *x509_flag_names;