/* common S/MIME checks */ static int purpose_smime(const X509 *x, int ca) { if (xku_reject(x, XKU_SMIME)) return 0; if (ca) { int ca_ret; ca_ret = check_ca(x); if (!ca_ret) return 0; /* check nsCertType if present */ if (ca_ret != 5 || x->ex_nscert & NS_SMIME_CA) return ca_ret; else return 0; } if (x->ex_flags & EXFLAG_NSCERT) { if (x->ex_nscert & NS_SMIME) return 1; /* Workaround for some buggy certificates */ if (x->ex_nscert & NS_SSL_CLIENT) return 2; return 0; } return 1; }
static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca) { if(xku_reject(x,XKU_SSL_CLIENT)) return 0; if(ca) return check_ssl_ca(x); /* We need to do digital signatures with it */ if(ku_reject(x,KU_DIGITAL_SIGNATURE)) return 0; /* nsCertType if present should allow SSL client use */ if(ns_reject(x, NS_SSL_CLIENT)) return 0; return 1; }
static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca) { if(xku_reject(x,XKU_SSL_SERVER|XKU_SGC)) return 0; if(ca) return check_ssl_ca(x); if(ns_reject(x, NS_SSL_SERVER)) return 0; if(ku_reject(x, KU_TLS)) return 0; return 1; }
static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca) { if(xku_reject(x,XKU_SSL_SERVER|XKU_SGC)) return 0; if(ca) return check_ssl_ca(x); if(ns_reject(x, NS_SSL_SERVER)) return 0; /* Now as for keyUsage: we'll at least need to sign OR encipher */ if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_KEY_ENCIPHERMENT)) return 0; return 1; }