From ec9b710b681226da708cfeff95b8dc2ba72581c2 Mon Sep 17 00:00:00 2001
From: Justin Coffman <12767509+whislock@users.noreply.github.com>
Date: Fri, 15 Jun 2018 02:27:45 -0400
Subject: [PATCH] Confirm KU/EKU for server certs (#2463)

---
 src/etc/inc/certs.inc | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/etc/inc/certs.inc b/src/etc/inc/certs.inc
index fd2939c5c..de54a54e8 100644
--- a/src/etc/inc/certs.inc
+++ b/src/etc/inc/certs.inc
@@ -414,7 +414,13 @@ function cert_get_purpose($str_crt, $decode = true)
     $crt_details = openssl_x509_parse($str_crt);
     $purpose = array();
     $purpose['ca'] = (stristr($crt_details['extensions']['basicConstraints'], 'CA:TRUE') === false) ? 'No': 'Yes';
-    if (isset($crt_details['extensions']['extendedKeyUsage']) && strstr($crt_details['extensions']['extendedKeyUsage'], "TLS Web Server Authentication") !== false) {
+    if (
+        isset($crt_details['extensions']['extendedKeyUsage'])
+        && strstr($crt_details['extensions']['extendedKeyUsage'], "TLS Web Server Authentication") !== false
+        && isset($crt_details['extensions']['keyUsage'])
+        && strpos($crt_details['extensions']['keyUsage'], "Digital Signature") !== false
+        && strpos($crt_details['extensions']['keyUsage'], "Key Encipherment") !== false
+    )
         $purpose['server'] = 'Yes';
     } else {
         $purpose['server'] = 'No';