From: Tobias Brunner <tobias@strongswan.org>
Date: Wed, 15 Nov 2023 16:08:46 +0000 (+0100)
Subject: x509: Ensure extensions are encoded even if others are missing
X-Git-Tag: 5.9.12~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=74ae71d2b8a53ad41f810cd14baca929a0af747d;p=thirdparty%2Fstrongswan.git

x509: Ensure extensions are encoded even if others are missing

As with the previous commit, this is probably never an issue in practice
as most certificates contain at least one SAN.
---

diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 592a96d9d9..4c7c156ad9 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -2635,8 +2635,12 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
 					asn1_simple_object(ASN1_OCTET_STRING, chunk_empty));
 	}
 
-	if (basicConstraints.ptr || subjectAltNames.ptr || authKeyIdentifier.ptr ||
-		crlDistributionPoints.ptr || nameConstraints.ptr || ipAddrBlocks.ptr)
+	if (basicConstraints.ptr || keyUsage.ptr || subjectKeyIdentifier.ptr ||
+		authKeyIdentifier.ptr || subjectAltNames.ptr || extendedKeyUsage.ptr ||
+		crlDistributionPoints.ptr || authorityInfoAccess.ptr ||
+		nameConstraints.ptr || certPolicies.ptr || policyMappings.ptr ||
+		policyConstraints.ptr || inhibitAnyPolicy.ptr || ipAddrBlocks.ptr ||
+		criticalExtension.ptr)
 	{
 		extensions = asn1_wrap(ASN1_CONTEXT_C_3, "m",
 						asn1_wrap(ASN1_SEQUENCE, "mmmmmmmmmmmmmmm",