From 504e12326d471182a48f172bd42dbecde738b83d Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Wed, 25 Apr 2018 10:51:51 +0200
Subject: [PATCH] openssl: Set IKE compliance flag depending on keyUsage

---
 src/libstrongswan/plugins/openssl/openssl_x509.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c
index 60c08770b2..fae2d678fb 100644
--- a/src/libstrongswan/plugins/openssl/openssl_x509.c
+++ b/src/libstrongswan/plugins/openssl/openssl_x509.c
@@ -668,6 +668,9 @@ static bool parse_keyUsage_ext(private_openssl_x509_t *this,
 {
 	ASN1_BIT_STRING *usage;
 
+	/* to be compliant with RFC 4945 specific KUs have to be included */
+	this->flags &= ~X509_IKE_COMPLIANT;
+
 	usage = X509V3_EXT_d2i(ext);
 	if (usage)
 	{
@@ -682,6 +685,11 @@ static bool parse_keyUsage_ext(private_openssl_x509_t *this,
 			{
 				this->flags |= X509_CRL_SIGN;
 			}
+			if (flags & X509v3_KU_DIGITAL_SIGNATURE ||
+				flags & X509v3_KU_NON_REPUDIATION)
+			{
+				this->flags |= X509_IKE_COMPLIANT;
+			}
 			if (flags & X509v3_KU_KEY_CERT_SIGN)
 			{
 				/* we use the caBasicContraint, MUST be set */
@@ -988,6 +996,9 @@ static bool parse_extensions(private_openssl_x509_t *this)
 	STACK_OF(X509_EXTENSION) *extensions;
 	int i, num;
 
+	/* unless we see a keyUsage extension we are compliant with RFC 4945 */
+	this->flags |= X509_IKE_COMPLIANT;
+
 	extensions = X509_get0_extensions(this->x509);
 	if (extensions)
 	{
-- 
2.47.3