diff options
author | Jack Lloyd <[email protected]> | 2016-08-30 08:23:43 -0400 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2016-08-30 08:23:43 -0400 |
commit | 786831251f378de9f2d1f07cbb843c1d1ee33672 (patch) | |
tree | 999929c02445324a6e2725d1dab1661dbefcab79 /src/lib | |
parent | 1f28b1ba70fff00bf76320becd45d0b66f20653c (diff) |
Change allowed_usage key usage checks to match RFC 5280
GH #611
Diffstat (limited to 'src/lib')
-rw-r--r-- | src/lib/cert/x509/x509cert.cpp | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/src/lib/cert/x509/x509cert.cpp b/src/lib/cert/x509/x509cert.cpp index cb9b644bc..ffedf43f0 100644 --- a/src/lib/cert/x509/x509cert.cpp +++ b/src/lib/cert/x509/x509cert.cpp @@ -276,16 +276,18 @@ bool X509_Certificate::allowed_extended_usage(const std::string& usage) const bool X509_Certificate::allowed_usage(Usage_Type usage) const { + // These follow suggestions in RFC 5280 4.2.1.12 + switch(usage) { case Usage_Type::UNSPECIFIED: return true; case Usage_Type::TLS_SERVER_AUTH: - return (allowed_usage(DATA_ENCIPHERMENT) || allowed_usage(KEY_ENCIPHERMENT) || allowed_usage(DIGITAL_SIGNATURE)) && allowed_extended_usage("PKIX.ServerAuth"); + return (allowed_usage(KEY_AGREEMENT) || allowed_usage(KEY_ENCIPHERMENT) || allowed_usage(DIGITAL_SIGNATURE)) && allowed_extended_usage("PKIX.ServerAuth"); case Usage_Type::TLS_CLIENT_AUTH: - return (allowed_usage(DIGITAL_SIGNATURE) || allowed_usage(NON_REPUDIATION)) && allowed_extended_usage("PKIX.ClientAuth"); + return (allowed_usage(DIGITAL_SIGNATURE) || allowed_usage(KEY_AGREEMENT)) && allowed_extended_usage("PKIX.ClientAuth"); case Usage_Type::OCSP_RESPONDER: return (allowed_usage(DIGITAL_SIGNATURE) || allowed_usage(NON_REPUDIATION)) && allowed_extended_usage("PKIX.OCSPSigning"); |