aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2016-08-30 08:23:43 -0400
committerJack Lloyd <[email protected]>2016-08-30 08:23:43 -0400
commit786831251f378de9f2d1f07cbb843c1d1ee33672 (patch)
tree999929c02445324a6e2725d1dab1661dbefcab79 /src
parent1f28b1ba70fff00bf76320becd45d0b66f20653c (diff)
Change allowed_usage key usage checks to match RFC 5280
GH #611
Diffstat (limited to 'src')
-rw-r--r--src/lib/cert/x509/x509cert.cpp6
1 files changed, 4 insertions, 2 deletions
diff --git a/src/lib/cert/x509/x509cert.cpp b/src/lib/cert/x509/x509cert.cpp
index cb9b644bc..ffedf43f0 100644
--- a/src/lib/cert/x509/x509cert.cpp
+++ b/src/lib/cert/x509/x509cert.cpp
@@ -276,16 +276,18 @@ bool X509_Certificate::allowed_extended_usage(const std::string& usage) const
bool X509_Certificate::allowed_usage(Usage_Type usage) const
{
+ // These follow suggestions in RFC 5280 4.2.1.12
+
switch(usage)
{
case Usage_Type::UNSPECIFIED:
return true;
case Usage_Type::TLS_SERVER_AUTH:
- return (allowed_usage(DATA_ENCIPHERMENT) || allowed_usage(KEY_ENCIPHERMENT) || allowed_usage(DIGITAL_SIGNATURE)) && allowed_extended_usage("PKIX.ServerAuth");
+ return (allowed_usage(KEY_AGREEMENT) || allowed_usage(KEY_ENCIPHERMENT) || allowed_usage(DIGITAL_SIGNATURE)) && allowed_extended_usage("PKIX.ServerAuth");
case Usage_Type::TLS_CLIENT_AUTH:
- return (allowed_usage(DIGITAL_SIGNATURE) || allowed_usage(NON_REPUDIATION)) && allowed_extended_usage("PKIX.ClientAuth");
+ return (allowed_usage(DIGITAL_SIGNATURE) || allowed_usage(KEY_AGREEMENT)) && allowed_extended_usage("PKIX.ClientAuth");
case Usage_Type::OCSP_RESPONDER:
return (allowed_usage(DIGITAL_SIGNATURE) || allowed_usage(NON_REPUDIATION)) && allowed_extended_usage("PKIX.OCSPSigning");