From 41e00c0c705b3ca6b6c0f4fad0b682eb171ef501 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Fri, 15 Sep 2006 05:59:35 +0000
Subject: [PATCH] Add a strict rfc3280 verification flag. rfc3280 requires
 certificates to have KeyUsage.keyCertSign if they are to be used for signing
 of certificates, but the step in the verifiation is optional.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@18086 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 lib/hx509/cert.c | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/lib/hx509/cert.c b/lib/hx509/cert.c
index 1272a426f..cfb5e76b2 100644
--- a/lib/hx509/cert.c
+++ b/lib/hx509/cert.c
@@ -35,18 +35,20 @@
 RCSID("$Id$");
 #include "crypto-headers.h"
 
-
 struct hx509_verify_ctx_data {
     hx509_certs trust_anchors;
     int flags;
 #define HX509_VERIFY_CTX_F_TIME_SET			1
 #define HX509_VERIFY_CTX_F_ALLOW_PROXY_CERTIFICATE	2
+#define HX509_VERIFY_CTX_F_REQUIRE_RFC3280		4
     time_t time_now;
     unsigned int max_depth;
 #define HX509_VERIFY_MAX_DEPTH 30
     hx509_revoke_ctx revoke_ctx;
 };
 
+#define REQUIRE_RFC3280(ctx) ((ctx)->flags & HX509_VERIFY_CTX_F_REQUIRE_RFC3280)
+
 struct _hx509_cert_attrs {
     size_t len;
     hx509_cert_attribute *val;
@@ -333,6 +335,15 @@ hx509_verify_set_proxy_certificate(hx509_verify_ctx ctx, int boolean)
 	ctx->flags &= ~HX509_VERIFY_CTX_F_ALLOW_PROXY_CERTIFICATE;
 }
 
+void
+hx509_verify_set_strict_rfc3280_verification(hx509_verify_ctx ctx, int boolean)
+{
+    if (boolean)
+	ctx->flags |= HX509_VERIFY_CTX_F_REQUIRE_RFC3280;
+    else
+	ctx->flags &= ~HX509_VERIFY_CTX_F_REQUIRE_RFC3280;
+}
+
 static const Extension *
 find_extension(const Certificate *cert, const heim_oid *oid, int *idx)
 {
@@ -752,11 +763,14 @@ find_parent(hx509_context context,
 	}
     }
 
+#if 0
     /* 
      * Assume trust anchors isn't proxy certificates, require
      * KeyUsage.KeyCertSign
      */
     q.match |= HX509_QUERY_KU_KEYCERTSIGN;
+#endif
+
     ret = hx509_certs_find(context, trust_anchors, &q, parent);
     if (ret == 0) {
 	free_AuthorityKeyIdentifier(&ai);
@@ -782,7 +796,7 @@ find_parent(hx509_context context,
 	}
 	
 	hx509_set_error_string(context, 0, HX509_ISSUER_NOT_FOUND,
-			       "Failed to find issuer for"
+			       "Failed to find issuer for "
 			       "certificate with subject: %s", str);
 	free(str);
     }
@@ -1398,7 +1412,9 @@ hx509_verify_path(hx509_context context,
 
 	switch (type) {
 	case CA_CERT:
-	    ret = check_key_usage(context, c, 1 << 5, TRUE); /* XXX make constants */
+	    /* XXX make constants for keyusage */
+	    ret = check_key_usage(context, c, 1 << 5,
+				  REQUIRE_RFC3280(ctx) ? TRUE : FALSE);
 	    if (ret)
 		goto out;
 	    break;