aboutsummaryrefslogtreecommitdiffstats
path: root/src/libstrongswan/plugins/openssl/openssl_x509.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/libstrongswan/plugins/openssl/openssl_x509.c')
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_x509.c78
1 files changed, 44 insertions, 34 deletions
diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c
index c98e8055d..24b12d50c 100644
--- a/src/libstrongswan/plugins/openssl/openssl_x509.c
+++ b/src/libstrongswan/plugins/openssl/openssl_x509.c
@@ -679,6 +679,41 @@ static bool parse_keyUsage_ext(private_openssl_x509_t *this,
}
/**
+ * Parse ExtendedKeyUsage
+ */
+static bool parse_extKeyUsage_ext(private_openssl_x509_t *this,
+ X509_EXTENSION *ext)
+{
+ EXTENDED_KEY_USAGE *usage;
+ int i;
+
+ usage = X509V3_EXT_d2i(ext);
+ if (usage)
+ {
+ for (i = 0; i < sk_ASN1_OBJECT_num(usage); i++)
+ {
+ switch (OBJ_obj2nid(sk_ASN1_OBJECT_value(usage, i)))
+ {
+ case NID_server_auth:
+ this->flags |= X509_SERVER_AUTH;
+ break;
+ case NID_client_auth:
+ this->flags |= X509_CLIENT_AUTH;
+ break;
+ case NID_OCSP_sign:
+ this->flags |= X509_OCSP_SIGNER;
+ break;
+ default:
+ break;
+ }
+ }
+ sk_ASN1_OBJECT_pop_free(usage, ASN1_OBJECT_free);
+ return TRUE;
+ }
+ return FALSE;
+}
+
+/**
* Parse CRL distribution points
*/
static bool parse_crlDistributionPoints_ext(private_openssl_x509_t *this,
@@ -963,6 +998,9 @@ static bool parse_extensions(private_openssl_x509_t *this)
case NID_key_usage:
ok = parse_keyUsage_ext(this, ext);
break;
+ case NID_ext_key_usage:
+ ok = parse_extKeyUsage_ext(this, ext);
+ break;
case NID_crl_distribution_points:
ok = parse_crlDistributionPoints_ext(this, ext);
break;
@@ -977,7 +1015,12 @@ static bool parse_extensions(private_openssl_x509_t *this)
"libstrongswan.x509.enforce_critical", TRUE);
if (!ok)
{
- DBG1(DBG_LIB, "found unsupported critical X.509 extension");
+ char buf[80] = "";
+
+ OBJ_obj2txt(buf, sizeof(buf),
+ X509_EXTENSION_get_object(ext), 0);
+ DBG1(DBG_LIB, "found unsupported critical X.509 "
+ "extension: %s", buf);
}
break;
}
@@ -991,38 +1034,6 @@ static bool parse_extensions(private_openssl_x509_t *this)
}
/**
- * Parse ExtendedKeyUsage
- */
-static void parse_extKeyUsage(private_openssl_x509_t *this)
-{
- EXTENDED_KEY_USAGE *usage;
- int i;
-
- usage = X509_get_ext_d2i(this->x509, NID_ext_key_usage, NULL, NULL);
- if (usage)
- {
- for (i = 0; i < sk_ASN1_OBJECT_num(usage); i++)
- {
- switch (OBJ_obj2nid(sk_ASN1_OBJECT_value(usage, i)))
- {
- case NID_server_auth:
- this->flags |= X509_SERVER_AUTH;
- break;
- case NID_client_auth:
- this->flags |= X509_CLIENT_AUTH;
- break;
- case NID_OCSP_sign:
- this->flags |= X509_OCSP_SIGNER;
- break;
- default:
- break;
- }
- }
- sk_ASN1_OBJECT_pop_free(usage, ASN1_OBJECT_free);
- }
-}
-
-/**
* Parse a DER encoded x509 certificate
*/
static bool parse_certificate(private_openssl_x509_t *this)
@@ -1088,7 +1099,6 @@ static bool parse_certificate(private_openssl_x509_t *this)
{
return FALSE;
}
- parse_extKeyUsage(this);
hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
if (!hasher || !hasher->allocate_hash(hasher, this->encoding, &this->hash))
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-25 11:07:42 +0000