sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-03 00:00:24 -04:00
Code Issues Projects Releases Wiki Activity

openssl: Set X509_CRL_SIGN for CA certificates without keyUsage extension

Browse Source
This commit is contained in:
Tobias Brunner 2023-02-22 17:18:36 +01:00
parent 7414c06669
commit d12a4f5d23
1 changed files with 12 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
src/libstrongswan/plugins/openssl/openssl_x509.c
View File

@ -687,9 +687,6 @@ static bool parse_keyUsage_ext(private_openssl_x509_t *this,
{
ASN1_BIT_STRING *usage;
/* to be compliant with RFC 4945 specific KUs have to be included */
this->flags &= ~X509_IKE_COMPLIANT;
usage = X509V3_EXT_d2i(ext);
if (usage)
{
@ -1013,11 +1010,9 @@ static bool parse_subjectKeyIdentifier_ext(private_openssl_x509_t *this,
static bool parse_extensions(private_openssl_x509_t *this)
{
const STACK_OF(X509_EXTENSION) *extensions;
bool key_usage_parsed = FALSE;
int i, num;
/* unless we see a keyUsage extension we are compliant with RFC 4945 */
this->flags |= X509_IKE_COMPLIANT;
extensions = X509_get0_extensions(this->x509);
if (extensions)
{
@ -1051,6 +1046,7 @@ static bool parse_extensions(private_openssl_x509_t *this)
break;
case NID_key_usage:
ok = parse_keyUsage_ext(this, ext);
key_usage_parsed = TRUE;
break;
case NID_ext_key_usage:
ok = parse_extKeyUsage_ext(this, ext);
@ -1084,6 +1080,16 @@ static bool parse_extensions(private_openssl_x509_t *this)
}
}
}
if (!key_usage_parsed)
{
/* we are compliant with RFC 4945 without keyUsage extension */
this->flags |= X509_IKE_COMPLIANT;
/* allow CA certificates without keyUsage extension to sign CRLs */
if (this->flags & X509_CA)
{
this->flags |= X509_CRL_SIGN;
}
}
return TRUE;
}