[strongSwan-dev] query on peer (remote) certificate validation

SIMON BABY simonkbaby at gmail.com
Mon Dec 7 18:46:04 CET 2020

Hi Tobias,
I will change the remote certificate key usage value to something not
compliant with RFC 4945.

As per RFC 4945: KeyUsage

IKE uses an end-entity certificate in the authentication process.
The end-entity certificate may be used for multiple applications. As
such, the CA can impose some constraints on the manner that a public
key ought to be used. The KeyUsage (KU) and ExtendedKeyUsage (EKU)
extensions apply in this situation.

Since we are talking about using the public key to validate a
signature, if the KeyUsage extension is present, then at least one of
the digitalSignature or the nonRepudiation bits in the KeyUsage
extension MUST be set (both can be set as well). It is also fine if
other KeyUsage bits are set.

A summary of the logic flow for peer cert validation follows:

o If no KU extension, continue.

o If KU present and doesn't mention digitalSignature or
nonRepudiation (both, in addition to other KUs, is also fine),
reject cert.

o If none of the above, continue.



On Mon, Dec 7, 2020 at 1:08 AM Tobias Brunner <tobias at strongswan.org> wrote:

> Hi Simon,
> > I am specifically looking for interfacing my application with charon for
> > getting notification of a failure in the case of a remote certificate
> > parsing failed for key usage extension.
> How do you expect parsing of that extension to fail?
> Regards,
> Tobias
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20201207/fc6e63bb/attachment.html>

More information about the Dev mailing list