summaryrefslogtreecommitdiff
path: root/src/libstrongswan/plugins/openssl/openssl_x509.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/libstrongswan/plugins/openssl/openssl_x509.c')
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_x509.c11
1 files changed, 11 insertions, 0 deletions
diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c
index 60c08770b..fae2d678f 100644
--- a/src/libstrongswan/plugins/openssl/openssl_x509.c
+++ b/src/libstrongswan/plugins/openssl/openssl_x509.c
@@ -668,6 +668,9 @@ static bool parse_keyUsage_ext(private_openssl_x509_t *this,
{
ASN1_BIT_STRING *usage;
+ /* to be compliant with RFC 4945 specific KUs have to be included */
+ this->flags &= ~X509_IKE_COMPLIANT;
+
usage = X509V3_EXT_d2i(ext);
if (usage)
{
@@ -682,6 +685,11 @@ static bool parse_keyUsage_ext(private_openssl_x509_t *this,
{
this->flags |= X509_CRL_SIGN;
}
+ if (flags & X509v3_KU_DIGITAL_SIGNATURE ||
+ flags & X509v3_KU_NON_REPUDIATION)
+ {
+ this->flags |= X509_IKE_COMPLIANT;
+ }
if (flags & X509v3_KU_KEY_CERT_SIGN)
{
/* we use the caBasicContraint, MUST be set */
@@ -988,6 +996,9 @@ static bool parse_extensions(private_openssl_x509_t *this)
STACK_OF(X509_EXTENSION) *extensions;
int i, num;
+ /* unless we see a keyUsage extension we are compliant with RFC 4945 */
+ this->flags |= X509_IKE_COMPLIANT;
+
extensions = X509_get0_extensions(this->x509);
if (extensions)
{
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-20 12:20:35 +0000