diff options
Diffstat (limited to 'src/Mayaqua/Encrypt.c')
| -rw-r--r-- | src/Mayaqua/Encrypt.c | 66 |
1 files changed, 42 insertions, 24 deletions
diff --git a/src/Mayaqua/Encrypt.c b/src/Mayaqua/Encrypt.c index 7d29a050..f6fe91be 100644 --- a/src/Mayaqua/Encrypt.c +++ b/src/Mayaqua/Encrypt.c @@ -2602,28 +2602,38 @@ void AddKeyUsageX509(EXTENDED_KEY_USAGE *ex, int nid) sk_ASN1_OBJECT_push(ex, obj);
}
}
-X509_EXTENSION *NewExtendedKeyUsageForX509()
+X509_EXTENSION *NewExtendedKeyUsageForX509(bool root_cert)
{
EXTENDED_KEY_USAGE *ex = sk_ASN1_OBJECT_new_null();
X509_EXTENSION *ret;
- AddKeyUsageX509(ex, NID_server_auth);
- AddKeyUsageX509(ex, NID_client_auth);
- AddKeyUsageX509(ex, NID_code_sign);
- AddKeyUsageX509(ex, NID_email_protect);
- AddKeyUsageX509(ex, NID_ipsecEndSystem);
- AddKeyUsageX509(ex, NID_ipsecTunnel);
- AddKeyUsageX509(ex, NID_ipsecUser);
- AddKeyUsageX509(ex, NID_time_stamp);
- AddKeyUsageX509(ex, NID_OCSP_sign);
+ if (root_cert)
+ {
+ AddKeyUsageX509(ex, NID_server_auth);
+ AddKeyUsageX509(ex, NID_client_auth);
+ AddKeyUsageX509(ex, NID_code_sign);
+ AddKeyUsageX509(ex, NID_email_protect);
+ AddKeyUsageX509(ex, NID_ipsecEndSystem);
+ AddKeyUsageX509(ex, NID_ipsecTunnel);
+ AddKeyUsageX509(ex, NID_ipsecUser);
+ AddKeyUsageX509(ex, NID_time_stamp);
+ AddKeyUsageX509(ex, NID_OCSP_sign);
+ }
+ else
+ {
+ AddKeyUsageX509(ex, NID_server_auth);
+ AddKeyUsageX509(ex, NID_client_auth);
+ AddKeyUsageX509(ex, NID_ipsecEndSystem);
+ AddKeyUsageX509(ex, NID_ipsecTunnel);
+ AddKeyUsageX509(ex, NID_ipsecUser);
+ }
ret = X509V3_EXT_i2d(NID_ext_key_usage, 0, ex);
sk_ASN1_OBJECT_pop_free(ex, ASN1_OBJECT_free);
return ret;
-}
-void BitStringSetBit(ASN1_BIT_STRING *str, int bit)
+}void BitStringSetBit(ASN1_BIT_STRING *str, int bit)
{
// Validate arguments
if (str == NULL)
@@ -2633,7 +2643,7 @@ void BitStringSetBit(ASN1_BIT_STRING *str, int bit) ASN1_BIT_STRING_set_bit(str, bit, 1);
}
-X509_EXTENSION *NewBasicKeyUsageForX509()
+X509_EXTENSION *NewBasicKeyUsageForX509(bool root_cert)
{
X509_EXTENSION *ret = NULL;
ASN1_BIT_STRING *str;
@@ -2641,13 +2651,21 @@ X509_EXTENSION *NewBasicKeyUsageForX509() str = ASN1_BIT_STRING_new();
if (str != NULL)
{
- BitStringSetBit(str, 0); // KU_DIGITAL_SIGNATURE
- BitStringSetBit(str, 1); // KU_NON_REPUDIATION
- BitStringSetBit(str, 2); // KU_KEY_ENCIPHERMENT
- BitStringSetBit(str, 3); // KU_DATA_ENCIPHERMENT
- //BitStringSetBit(str, 4); // KU_KEY_AGREEMENT
- BitStringSetBit(str, 5); // KU_KEY_CERT_SIGN
- BitStringSetBit(str, 6); // KU_CRL_SIGN
+ if (root_cert)
+ {
+ BitStringSetBit(str, 0); // KU_DIGITAL_SIGNATURE
+ BitStringSetBit(str, 1); // KU_NON_REPUDIATION
+ BitStringSetBit(str, 2); // KU_KEY_ENCIPHERMENT
+ BitStringSetBit(str, 3); // KU_DATA_ENCIPHERMENT
+ //BitStringSetBit(str, 4); // KU_KEY_AGREEMENT
+ BitStringSetBit(str, 5); // KU_KEY_CERT_SIGN
+ BitStringSetBit(str, 6); // KU_CRL_SIGN
+ }
+ else
+ {
+ BitStringSetBit(str, 0); // KU_DIGITAL_SIGNATURE
+ BitStringSetBit(str, 2); // KU_KEY_ENCIPHERMENT
+ }
ret = X509V3_EXT_i2d(NID_key_usage, 0, str);
@@ -2771,7 +2789,7 @@ X509 *NewX509Ex(K *pub, K *priv, X *ca, NAME *name, UINT days, X_SERIAL *serial, */
// Basic usage
- busage = NewBasicKeyUsageForX509();
+ busage = NewBasicKeyUsageForX509(false);
if (busage != NULL)
{
X509_add_ext(x509, busage, -1);
@@ -2779,7 +2797,7 @@ X509 *NewX509Ex(K *pub, K *priv, X *ca, NAME *name, UINT days, X_SERIAL *serial, }
// EKU
- eku = NewExtendedKeyUsageForX509();
+ eku = NewExtendedKeyUsageForX509(false);
if (eku != NULL)
{
X509_add_ext(x509, eku, -1);
@@ -2912,7 +2930,7 @@ X509 *NewRootX509(K *pub, K *priv, NAME *name, UINT days, X_SERIAL *serial) X509_EXTENSION_free(ex);
// Basic usage
- busage = NewBasicKeyUsageForX509();
+ busage = NewBasicKeyUsageForX509(true);
if (busage != NULL)
{
X509_add_ext(x509, busage, -1);
@@ -2920,7 +2938,7 @@ X509 *NewRootX509(K *pub, K *priv, NAME *name, UINT days, X_SERIAL *serial) }
// EKU
- eku = NewExtendedKeyUsageForX509();
+ eku = NewExtendedKeyUsageForX509(true);
if (eku != NULL)
{
X509_add_ext(x509, eku, -1);
|