x509: Set IKE compliance flag depending on keyUsage

author Tobias Brunner <tobias@strongswan.org>

Wed, 25 Apr 2018 08:50:03 +0000 (10:50 +0200)

committer Tobias Brunner <tobias@strongswan.org>

Tue, 22 May 2018 07:50:47 +0000 (09:50 +0200)
author Tobias Brunner <tobias@strongswan.org>
Wed, 25 Apr 2018 08:50:03 +0000 (10:50 +0200)
committer Tobias Brunner <tobias@strongswan.org>
Tue, 22 May 2018 07:50:47 +0000 (09:50 +0200)
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c

index d1f9d9aac32c9f19ccb0b882d46c848797a98512..bc3a443464aa0628e865937bfa8623e77a70a0d6 100644 (file)
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -704,6 +704,9 @@ static void parse_keyUsage(chunk_t blob, private_x509_cert_t *this)
                 KU_DECIPHER_ONLY =              8,
         };
  
+       /* to be compliant with RFC 4945 specific KUs have to be included */
+       this->flags &= ~X509_IKE_COMPLIANT;
+
         if (asn1_unwrap(&blob, &blob) == ASN1_BIT_STRING && blob.len)
         {
                 int bit, byte, unused = blob.ptr[0];
@@ -724,10 +727,12 @@ static void parse_keyUsage(chunk_t blob, private_x509_cert_t *this)
                                                 case KU_CRL_SIGN:
                                                         this->flags |= X509_CRL_SIGN;
                                                         break;
-                                               case KU_KEY_CERT_SIGN:
-                                                       /* we use the caBasicConstraint, MUST be set */
                                                 case KU_DIGITAL_SIGNATURE:
                                                 case KU_NON_REPUDIATION:
+                                                       this->flags |= X509_IKE_COMPLIANT;
+                                                       break;
+                                               case KU_KEY_CERT_SIGN:
+                                                       /* we use the caBasicConstraint, MUST be set */
                                                 case KU_KEY_ENCIPHERMENT:
                                                 case KU_DATA_ENCIPHERMENT:
                                                 case KU_KEY_AGREEMENT:
@@ -1381,6 +1386,9 @@ static bool parse_certificate(private_x509_cert_t *this)
  
         parser = asn1_parser_create(certObjects, this->encoding);
  
+       /* unless we see a keyUsage extension we are compliant with RFC 4945 */
+       this->flags |= X509_IKE_COMPLIANT;
+
         while (parser->iterate(parser, &objectID, &object))
         {
                 u_int level = parser->get_level(parser)+1;
author	Tobias Brunner <tobias@strongswan.org>
	Wed, 25 Apr 2018 08:50:03 +0000 (10:50 +0200)
committer	Tobias Brunner <tobias@strongswan.org>
	Tue, 22 May 2018 07:50:47 +0000 (09:50 +0200)