option to turn off the KeyUsage check in CMS verify SignedData

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24204 ec53bebd-3082-4978-b11e-865c3cabbd6b
2008-12-15 04:32:49 +00:00
parent 5f2da72d8a
commit 26abb7e637
2 changed files with 12 additions and 2 deletions
--- a/lib/hx509/cms.c
+++ b/lib/hx509/cms.c
@@ -852,8 +852,17 @@ hx509_cms_verify_signed(hx509_context context,
 	ret = find_CMSIdentifier(context, &signer_info->sid, certs,
 				 _hx509_verify_get_time(ctx), &cert,
 				 HX509_QUERY_KU_DIGITALSIGNATURE);
-	if (ret)
-	    continue;
+	if (ret) {
+	    if ((flags & HX509_CMS_VS_NO_KU_CHECK) == 0)
+		continue;
+
+	    ret = find_CMSIdentifier(context, &signer_info->sid, certs,
+				     _hx509_verify_get_time(ctx), &cert,
+				     0);
+	    if (ret)
+		continue;
+
+	}

 	if (signer_info->signedAttrs) {
 	    const Attribute *attr;
--- a/lib/hx509/hx509.h
+++ b/lib/hx509/hx509.h
@@ -130,6 +130,7 @@ typedef enum {

 /* flags to hx509_cms_verify_signed */
 #define HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH		0x01
+#define HX509_CMS_VS_NO_KU_CHECK			0x02

 /* selectors passed to hx509_crypto_select and hx509_crypto_available */
 #define HX509_SELECT_ALL 0