From: Tobias Brunner <tobias@strongswan.org>
Date: Wed, 25 Apr 2018 08:48:21 +0000 (+0200)
Subject: x509: Add flag that marks compliance with RFC 4945
X-Git-Tag: 5.6.3dr2~5^2~10
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=9fcf4fdda1acafbdebb099564e25633677877e55;p=thirdparty%2Fstrongswan.git

x509: Add flag that marks compliance with RFC 4945

According to RFC 4945, section 5.1.3.2, a certificate for IKE must
either not contain the keyUsage extension, or, if it does, have at least
one of the digitalSignature or nonReputiation bits set.
---

diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h
index 2c640e2da3..3f8af31061 100644
--- a/src/libstrongswan/credentials/certificates/x509.h
+++ b/src/libstrongswan/credentials/certificates/x509.h
@@ -62,6 +62,9 @@ enum x509_flag_t {
 	X509_IKE_INTERMEDIATE =   (1<<8),
 	/** cert has Microsoft Smartcard Logon usage */
 	X509_MS_SMARTCARD_LOGON = (1<<9),
+	/** cert either lacks keyUsage bits, or includes either digitalSignature
+	 *  or nonRepudiation as per RFC 4945, section 5.1.3.2. */
+	X509_IKE_COMPLIANT =      (1<<10),
 };
 
 extern enum_name_t *x509_flag_names;