Change allowed_usage key usage checks to match RFC 5280

GH #611
author: Jack Lloyd <[email protected]> 2016-08-30 08:23:43 -0400
committer: Jack Lloyd <[email protected]> 2016-08-30 08:23:43 -0400
commit: 786831251f378de9f2d1f07cbb843c1d1ee33672 (patch)
tree: 999929c02445324a6e2725d1dab1661dbefcab79
parent: 1f28b1ba70fff00bf76320becd45d0b66f20653c (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/src/lib/cert/x509/x509cert.cpp b/src/lib/cert/x509/x509cert.cpp
index cb9b644bc..ffedf43f0 100644
--- a/src/lib/cert/x509/x509cert.cpp
+++ b/src/lib/cert/x509/x509cert.cpp
@@ -276,16 +276,18 @@ bool X509_Certificate::allowed_extended_usage(const std::string& usage) const
 
 bool X509_Certificate::allowed_usage(Usage_Type usage) const
    {
+   // These follow suggestions in RFC 5280 4.2.1.12
+
    switch(usage)
       {
       case Usage_Type::UNSPECIFIED:
          return true;
 
       case Usage_Type::TLS_SERVER_AUTH:
-         return (allowed_usage(DATA_ENCIPHERMENT) || allowed_usage(KEY_ENCIPHERMENT) || allowed_usage(DIGITAL_SIGNATURE)) && allowed_extended_usage("PKIX.ServerAuth");
+         return (allowed_usage(KEY_AGREEMENT) || allowed_usage(KEY_ENCIPHERMENT) || allowed_usage(DIGITAL_SIGNATURE)) && allowed_extended_usage("PKIX.ServerAuth");
 
       case Usage_Type::TLS_CLIENT_AUTH:
-         return (allowed_usage(DIGITAL_SIGNATURE) || allowed_usage(NON_REPUDIATION)) && allowed_extended_usage("PKIX.ClientAuth");
+         return (allowed_usage(DIGITAL_SIGNATURE) || allowed_usage(KEY_AGREEMENT)) && allowed_extended_usage("PKIX.ClientAuth");
 
       case Usage_Type::OCSP_RESPONDER:
          return (allowed_usage(DIGITAL_SIGNATURE) || allowed_usage(NON_REPUDIATION)) && allowed_extended_usage("PKIX.OCSPSigning");
author	Jack Lloyd <[email protected]>	2016-08-30 08:23:43 -0400
committer	Jack Lloyd <[email protected]>	2016-08-30 08:23:43 -0400
commit	786831251f378de9f2d1f07cbb843c1d1ee33672 (patch)
tree	999929c02445324a6e2725d1dab1661dbefcab79
parent	1f28b1ba70fff00bf76320becd45d0b66f20653c (diff)