openssl: parse X.509 extended key usage from extension parsing loop

Otherwise parsing gets aborted if unknown critical extensions are handled as error.
author: Martin Willi <martin@revosec.ch> 2013-04-30 11:55:38 +0200
committer: Martin Willi <martin@revosec.ch> 2013-07-18 12:17:53 +0200
commit: c3e7b3de0b1ffb1647315733e13c47abd5d1d2b6 (patch)
tree: dab621eb44ae557181e158b42fde932cf97c2d54 /src/libstrongswan/plugins/openssl/openssl_x509.c
parent: 3f55f203ee89e04511dc37b6a8ee7fe889b74c04 (diff)
download: strongswan-c3e7b3de0b1ffb1647315733e13c47abd5d1d2b6.tar.bz2
strongswan-c3e7b3de0b1ffb1647315733e13c47abd5d1d2b6.tar.xz
1 files changed, 38 insertions, 33 deletions
diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c
index f15f511e7..24b12d50c 100644
--- a/src/libstrongswan/plugins/openssl/openssl_x509.c
+++ b/src/libstrongswan/plugins/openssl/openssl_x509.c
@@ -679,6 +679,41 @@ static bool parse_keyUsage_ext(private_openssl_x509_t *this,
 }
 
 /**
+ * Parse ExtendedKeyUsage
+ */
+static bool parse_extKeyUsage_ext(private_openssl_x509_t *this,
+								  X509_EXTENSION *ext)
+{
+	EXTENDED_KEY_USAGE *usage;
+	int i;
+
+	usage = X509V3_EXT_d2i(ext);
+	if (usage)
+	{
+		for (i = 0; i < sk_ASN1_OBJECT_num(usage); i++)
+		{
+			switch (OBJ_obj2nid(sk_ASN1_OBJECT_value(usage, i)))
+			{
+				case NID_server_auth:
+					this->flags |= X509_SERVER_AUTH;
+					break;
+				case NID_client_auth:
+					this->flags |= X509_CLIENT_AUTH;
+					break;
+				case NID_OCSP_sign:
+					this->flags |= X509_OCSP_SIGNER;
+					break;
+				default:
+					break;
+			}
+		}
+		sk_ASN1_OBJECT_pop_free(usage, ASN1_OBJECT_free);
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
  * Parse CRL distribution points
  */
 static bool parse_crlDistributionPoints_ext(private_openssl_x509_t *this,
@@ -963,6 +998,9 @@ static bool parse_extensions(private_openssl_x509_t *this)
 				case NID_key_usage:
 					ok = parse_keyUsage_ext(this, ext);
 					break;
+				case NID_ext_key_usage:
+					ok = parse_extKeyUsage_ext(this, ext);
+					break;
 				case NID_crl_distribution_points:
 					ok = parse_crlDistributionPoints_ext(this, ext);
 					break;
@@ -996,38 +1034,6 @@ static bool parse_extensions(private_openssl_x509_t *this)
 }
 
 /**
- * Parse ExtendedKeyUsage
- */
-static void parse_extKeyUsage(private_openssl_x509_t *this)
-{
-	EXTENDED_KEY_USAGE *usage;
-	int i;
-
-	usage = X509_get_ext_d2i(this->x509, NID_ext_key_usage, NULL, NULL);
-	if (usage)
-	{
-		for (i = 0; i < sk_ASN1_OBJECT_num(usage); i++)
-		{
-			switch (OBJ_obj2nid(sk_ASN1_OBJECT_value(usage, i)))
-			{
-				case NID_server_auth:
-					this->flags |= X509_SERVER_AUTH;
-					break;
-				case NID_client_auth:
-					this->flags |= X509_CLIENT_AUTH;
-					break;
-				case NID_OCSP_sign:
-					this->flags |= X509_OCSP_SIGNER;
-					break;
-				default:
-					break;
-			}
-		}
-		sk_ASN1_OBJECT_pop_free(usage, ASN1_OBJECT_free);
-	}
-}
-
-/**
  * Parse a DER encoded x509 certificate
  */
 static bool parse_certificate(private_openssl_x509_t *this)
@@ -1093,7 +1099,6 @@ static bool parse_certificate(private_openssl_x509_t *this)
 	{
 		return FALSE;
 	}
-	parse_extKeyUsage(this);
 
 	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
 	if (!hasher || !hasher->allocate_hash(hasher, this->encoding, &this->hash))
author	Martin Willi <martin@revosec.ch>	2013-04-30 11:55:38 +0200
committer	Martin Willi <martin@revosec.ch>	2013-07-18 12:17:53 +0200
commit	c3e7b3de0b1ffb1647315733e13c47abd5d1d2b6 (patch)
tree	dab621eb44ae557181e158b42fde932cf97c2d54 /src/libstrongswan/plugins/openssl/openssl_x509.c
parent	3f55f203ee89e04511dc37b6a8ee7fe889b74c04 (diff)
download	strongswan-c3e7b3de0b1ffb1647315733e13c47abd5d1d2b6.tar.bz2 strongswan-c3e7b3de0b1ffb1647315733e13c47abd5d1d2b6.tar.xz