From 26abb7e637f4dc7e39ebb9ab7a32b523d228da20 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Mon, 15 Dec 2008 04:32:49 +0000
Subject: [PATCH] option to turn off the KeyUsage check in CMS verify
 SignedData

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24204 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 lib/hx509/cms.c   | 13 +++++++++++--
 lib/hx509/hx509.h |  1 +
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/lib/hx509/cms.c b/lib/hx509/cms.c
index 8ec41344f..e295cc420 100644
--- a/lib/hx509/cms.c
+++ b/lib/hx509/cms.c
@@ -852,8 +852,17 @@ hx509_cms_verify_signed(hx509_context context,
 	ret = find_CMSIdentifier(context, &signer_info->sid, certs,
 				 _hx509_verify_get_time(ctx), &cert,
 				 HX509_QUERY_KU_DIGITALSIGNATURE);
-	if (ret)
-	    continue;
+	if (ret) {
+	    if ((flags & HX509_CMS_VS_NO_KU_CHECK) == 0)
+		continue;
+
+	    ret = find_CMSIdentifier(context, &signer_info->sid, certs,
+				     _hx509_verify_get_time(ctx), &cert,
+				     0);
+	    if (ret)
+		continue;
+
+	}
 
 	if (signer_info->signedAttrs) {
 	    const Attribute *attr;
diff --git a/lib/hx509/hx509.h b/lib/hx509/hx509.h
index 12e6ce942..4f1c5942f 100644
--- a/lib/hx509/hx509.h
+++ b/lib/hx509/hx509.h
@@ -130,6 +130,7 @@ typedef enum {
 
 /* flags to hx509_cms_verify_signed */
 #define HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH		0x01
+#define HX509_CMS_VS_NO_KU_CHECK			0x02
 
 /* selectors passed to hx509_crypto_select and hx509_crypto_available */
 #define HX509_SELECT_ALL 0