From bee6354eb76e5ad4e8b0afbceceddc6e2c4377aa Mon Sep 17 00:00:00 2001
From: Christos Tsantilas <chtsanti@users.sourceforge.net>
Date: Mon, 28 Jan 2013 19:38:00 +0200
Subject: [PATCH] Mimic Key Usage and Basic Constraints

There are cases where the generated certificates do not mimic enough properties
and secure connection with the client fails. For example, Squid does not mimic
Key Usage extensions. Clients using GnuTLS (or similar libraries that validate
server certificate using those extensions) fail to secure the connection with
Squid.

This patch add mimicking for the following extensions, which are considered
as safe to mimic:
    * X509v3 Key Usage
    * X509v3 Extended Key Usage,
    * X509v3 Basic Constraints CA.

We would be happy to add more "safe to mimic" extensions if users request (and
vouch for) them.

This is a Measurement Factory project
---
 src/ssl/gadgets.cc | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc
index ac94bc165c..e62e840f55 100644
--- a/src/ssl/gadgets.cc
+++ b/src/ssl/gadgets.cc
@@ -249,6 +249,31 @@ std::string & Ssl::CertificateProperties::dbKey() const
     return certKey;
 }
 
+// Copy certificate extensions from cert to mimicCert.
+// Currently only extensions which are reported by the users that required are
+// mimicked. More safe to mimic extensions would be added here if users request
+// them.
+static void
+mimicExtensions(Ssl::X509_Pointer & cert, Ssl::X509_Pointer const & mimicCert)
+{
+    static int extensions[]= {
+        NID_key_usage,
+        NID_ext_key_usage, 
+        NID_basic_constraints,
+        0
+    };
+
+    int nid;
+    for (int i = 0; (nid = extensions[i]) != 0; ++i) {
+        const int pos = X509_get_ext_by_NID(mimicCert.get(), nid, -1);
+        if (X509_EXTENSION *ext = X509_get_ext(mimicCert.get(), pos))
+            X509_add_ext(cert.get(), ext, -1);
+    }
+
+    // We could also restrict mimicking of the CA extension to CA:FALSE
+    // because Squid does not generate valid fake CA certificates.
+}
+
 static bool buildCertificate(Ssl::X509_Pointer & cert, Ssl::CertificateProperties const &properties)
 {
     // not an Ssl::X509_NAME_Pointer because X509_REQ_get_subject_name()
@@ -320,6 +345,8 @@ static bool buildCertificate(Ssl::X509_Pointer & cert, Ssl::CertificatePropertie
                 X509_set_version(cert.get(), 2);
             }
         }
+
+        mimicExtensions(cert, properties.mimicCert);
     }
 
     return true;
-- 
2.47.3