Confirm KU/EKU for server certs (#2463)

2026-03-14 16:44:39 +00:00 · 2018-06-15 02:27:45 -04:00 · 2018-06-15 02:27:45 -04:00 · ec9b710b68
commit ec9b710b68
parent b0a4a27a1f
1 changed files with 7 additions and 1 deletions
--- a/src/etc/inc/certs.inc
+++ b/src/etc/inc/certs.inc
@ -414,7 +414,13 @@ function cert_get_purpose($str_crt, $decode = true)
    $crt_details = openssl_x509_parse($str_crt);
    $purpose = array();
    $purpose['ca'] = (stristr($crt_details['extensions']['basicConstraints'], 'CA:TRUE') === false) ? 'No': 'Yes';
-    if (isset($crt_details['extensions']['extendedKeyUsage']) && strstr($crt_details['extensions']['extendedKeyUsage'], "TLS Web Server Authentication") !== false) {
+    if (
+        isset($crt_details['extensions']['extendedKeyUsage'])
+        && strstr($crt_details['extensions']['extendedKeyUsage'], "TLS Web Server Authentication") !== false
+        && isset($crt_details['extensions']['keyUsage'])
+        && strpos($crt_details['extensions']['keyUsage'], "Digital Signature") !== false
+        && strpos($crt_details['extensions']['keyUsage'], "Key Encipherment") !== false
+    )
        $purpose['server'] = 'Yes';
    } else {
        $purpose['server'] = 'No';