From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 23 Feb 2023 15:54:51 +0000 (+0100)
Subject: pki: Allow overriding EKU flags from certificate request via command line
X-Git-Tag: 5.9.10~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8325eeff06ef97a97d03add619db21a86c6303c0;p=thirdparty%2Fstrongswan.git

pki: Allow overriding EKU flags from certificate request via command line

The flags encoded in the PKCS#10 structure (or derived from the encoded
profile name) might not be appropriate in some instances. This allows
overriding them without having to issue a new certificate request.
---

diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index 023f0536ab..ad4f13d22d 100644
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -482,8 +482,11 @@ static int issue()
 		}
 		req = (pkcs10_t*)cert_req;
 
-		/* Add Extended Key Usage (EKU) flags */
-		flags |= req->get_flags(req);
+		/* Add Extended Key Usage (EKU) flags if not overridden */
+		if (!flags)
+		{
+			flags = req->get_flags(req);
+		}
 
 		/* Add subjectAltNames from PKCS#10 certificate request */
 		enumerator = req->create_subjectAltName_enumerator(req);