Rename find_constraints() and let it throw instead of returning a combination

author: René Korthaus <[email protected]> 2016-08-19 14:16:13 +0200
committer: René Korthaus <[email protected]> 2016-08-19 14:18:35 +0200
commit: 6cbff45093199d821dee7ee74380474300f49948 (patch)
tree: 1fd3c82f4a067206d62844b7d438183f4003abb3 /src/lib/cert/x509/x509_ca.cpp
parent: 40a935209876b7c5360dadae85b0b26c2e13e0f5 (diff)
1 files changed, 8 insertions, 2 deletions
diff --git a/src/lib/cert/x509/x509_ca.cpp b/src/lib/cert/x509/x509_ca.cpp
index d64ade6cd..58c6676f4 100644
--- a/src/lib/cert/x509/x509_ca.cpp
+++ b/src/lib/cert/x509/x509_ca.cpp
@@ -52,11 +52,14 @@ X509_Certificate X509_CA::sign_request(const PKCS10_Request& req,
    {
    Key_Constraints constraints;
    if(req.is_CA())
+      {
       constraints = Key_Constraints(KEY_CERT_SIGN | CRL_SIGN);
+      }
    else
       {
       std::unique_ptr<Public_Key> key(req.subject_public_key());
-      constraints = find_constraints(*key, req.constraints());
+      verify_cert_constraints_valid_for_key_type(*key, req.constraints());
+      constraints = req.constraints();
       }
 
    Extensions extensions;
@@ -65,7 +68,10 @@ X509_Certificate X509_CA::sign_request(const PKCS10_Request& req,
       new Cert_Extension::Basic_Constraints(req.is_CA(), req.path_limit()),
       true);
 
-   extensions.add(new Cert_Extension::Key_Usage(constraints), true);
+   if(constraints != NO_CONSTRAINTS)
+      {
+      extensions.add(new Cert_Extension::Key_Usage(constraints), true);
+      }
 
    extensions.add(new Cert_Extension::Authority_Key_ID(m_cert.subject_key_id()));
    extensions.add(new Cert_Extension::Subject_Key_ID(req.raw_public_key()));
author	René Korthaus <[email protected]>	2016-08-19 14:16:13 +0200
committer	René Korthaus <[email protected]>	2016-08-19 14:18:35 +0200
commit	6cbff45093199d821dee7ee74380474300f49948 (patch)
tree	1fd3c82f4a067206d62844b7d438183f4003abb3 /src/lib/cert/x509/x509_ca.cpp
parent	40a935209876b7c5360dadae85b0b26c2e13e0f5 (diff)