# HG changeset patch

# User Robert Relyea <rrelyea@redhat.com>

# Date 1541713180 28800

#      Thu Nov 08 13:39:40 2018 -0800

# Node ID 0c8334a3b23372556ebedbdfe513417eb9ee55a0

# Parent  070bebf39672054410437b0cf931e00a8920a1ff

try: -b do -p all -u all -t all

diff --git a/cmd/certutil/certutil.c b/cmd/certutil/certutil.c

--- a/cmd/certutil/certutil.c

+++ b/cmd/certutil/certutil.c

@@ -736,16 +736,19 @@ ValidateCert(CERTCertDBHandle *handle, c

             usage = certificateUsageVerifyCA;

             break;

         case 'C':

             usage = certificateUsageSSLClient;

             break;

         case 'V':

             usage = certificateUsageSSLServer;

             break;

+        case 'I':

+            usage = certificateUsageIPsec;

+            break;

         case 'S':

             usage = certificateUsageEmailSigner;

             break;

         case 'R':

             usage = certificateUsageEmailRecipient;

             break;

         case 'J':

             usage = certificateUsageObjectSigner;

@@ -1701,16 +1704,17 @@ luV(enum usage_level ul, const char *com

         "   -n cert-name");

     FPS "%-20s validity time (\"YYMMDDHHMMSS[+HHMM|-HHMM|Z]\")\n",

         "   -b time");

     FPS "%-20s Check certificate signature \n",

         "   -e ");

     FPS "%-20s Specify certificate usage:\n", "   -u certusage");

     FPS "%-25s C \t SSL Client\n", "");

     FPS "%-25s V \t SSL Server\n", "");

+    FPS "%-25s I \t IPsec\n", "");

     FPS "%-25s L \t SSL CA\n", "");

     FPS "%-25s A \t Any CA\n", "");

     FPS "%-25s Y \t Verify CA\n", "");

     FPS "%-25s S \t Email signer\n", "");

     FPS "%-25s R \t Email Recipient\n", "");

     FPS "%-25s O \t OCSP status responder\n", "");

     FPS "%-25s J \t Object signer\n", "");

     FPS "%-20s Cert database directory (default is ~/.netscape)\n",

diff --git a/cmd/dbck/dbrecover.c b/cmd/dbck/dbrecover.c

--- a/cmd/dbck/dbrecover.c

+++ b/cmd/dbck/dbrecover.c

@@ -283,17 +283,18 @@ addCertToDB(certDBEntryCert *certEntry, 

     userCert = (SEC_GET_TRUST_FLAGS(trust, trustSSL) & CERTDB_USER) ||

                (SEC_GET_TRUST_FLAGS(trust, trustEmail) & CERTDB_USER) ||

                (SEC_GET_TRUST_FLAGS(trust, trustObjectSigning) & CERTDB_USER);

     if (userCert)

         goto createcert;

     /*  If user chooses so, ignore expired certificates.  */

     allowOverride = (PRBool)((oldCert->keyUsage == certUsageSSLServer) ||

-                             (oldCert->keyUsage == certUsageSSLServerWithStepUp));

+                             (oldCert->keyUsage == certUsageSSLServerWithStepUp) ||

+                             (oldCert->keyUsage == certUsageIPsec));

     validity = CERT_CheckCertValidTimes(oldCert, PR_Now(), allowOverride);

     /*  If cert expired and user wants to delete it, ignore it. */

     if ((validity != secCertTimeValid) &&

         userSaysDeleteCert(&oldCert, 1, dbInvalidCert, info, 0)) {

         info->dbErrors[dbInvalidCert]++;

         if (info->verbose) {

             PR_fprintf(info->out, "Deleting expired certificate:\n");

             dumpCertificate(oldCert, -1, info->out);

diff --git a/cmd/ocspclnt/ocspclnt.c b/cmd/ocspclnt/ocspclnt.c

--- a/cmd/ocspclnt/ocspclnt.c

+++ b/cmd/ocspclnt/ocspclnt.c

@@ -129,16 +129,18 @@ long_usage(char *progname)

     PR_fprintf(pr_stderr,

                "  %-13s Type of certificate usage for verification:\n",

                "-u usage");

     PR_fprintf(pr_stderr,

                "%-17s c   SSL Client\n", "");

     PR_fprintf(pr_stderr,

                "%-17s s   SSL Server\n", "");

     PR_fprintf(pr_stderr,

+               "%-17s I   IPsec\n", "");

+    PR_fprintf(pr_stderr,

                "%-17s e   Email Recipient\n", "");

     PR_fprintf(pr_stderr,

                "%-17s E   Email Signer\n", "");

     PR_fprintf(pr_stderr,

                "%-17s S   Object Signer\n", "");

     PR_fprintf(pr_stderr,

                "%-17s C   CA\n", "");

     PR_fprintf(pr_stderr,

@@ -903,16 +905,19 @@ cert_usage_from_char(const char *cert_us

     switch (*cert_usage_str) {

         case 'c':

             *cert_usage = certUsageSSLClient;

             break;

         case 's':

             *cert_usage = certUsageSSLServer;

             break;

+        case 'I':

+            *cert_usage = certUsageIPsec;

+            break;

         case 'e':

             *cert_usage = certUsageEmailRecipient;

             break;

         case 'E':

             *cert_usage = certUsageEmailSigner;

             break;

         case 'S':

             *cert_usage = certUsageObjectSigner;

diff --git a/cmd/p7verify/p7verify.c b/cmd/p7verify/p7verify.c

--- a/cmd/p7verify/p7verify.c

+++ b/cmd/p7verify/p7verify.c

@@ -112,16 +112,17 @@ Usage(char *progName)

     fprintf(stderr, "%-25s  4 - certUsageEmailSigner\n", " ");

     fprintf(stderr, "%-25s  5 - certUsageEmailRecipient\n", " ");

     fprintf(stderr, "%-25s  6 - certUsageObjectSigner\n", " ");

     fprintf(stderr, "%-25s  7 - certUsageUserCertImport\n", " ");

     fprintf(stderr, "%-25s  8 - certUsageVerifyCA\n", " ");

     fprintf(stderr, "%-25s  9 - certUsageProtectedObjectSigner\n", " ");

     fprintf(stderr, "%-25s 10 - certUsageStatusResponder\n", " ");

     fprintf(stderr, "%-25s 11 - certUsageAnyCA\n", " ");

+    fprintf(stderr, "%-25s 12 - certUsageIPsec\n", " ");

     exit(-1);

 }

 static int

 HashDecodeAndVerify(FILE *out, FILE *content, PRFileDesc *signature,

                     SECCertUsage usage, char *progName)

 {

diff --git a/cmd/smimetools/cmsutil.c b/cmd/smimetools/cmsutil.c

--- a/cmd/smimetools/cmsutil.c

+++ b/cmd/smimetools/cmsutil.c

@@ -110,16 +110,17 @@ Usage(void)

     fprintf(stderr, "%-25s  4 - certUsageEmailSigner\n", " ");

     fprintf(stderr, "%-25s  5 - certUsageEmailRecipient\n", " ");

     fprintf(stderr, "%-25s  6 - certUsageObjectSigner\n", " ");

     fprintf(stderr, "%-25s  7 - certUsageUserCertImport\n", " ");

     fprintf(stderr, "%-25s  8 - certUsageVerifyCA\n", " ");

     fprintf(stderr, "%-25s  9 - certUsageProtectedObjectSigner\n", " ");

     fprintf(stderr, "%-25s 10 - certUsageStatusResponder\n", " ");

     fprintf(stderr, "%-25s 11 - certUsageAnyCA\n", " ");

+    fprintf(stderr, "%-25s 12 - certUsageIPsec\n", " ");

     exit(-1);

 }

 struct optionsStr {

     char *pwfile;

     char *password;

     SECCertUsage certUsage;

diff --git a/cmd/vfychain/vfychain.c b/cmd/vfychain/vfychain.c

--- a/cmd/vfychain/vfychain.c

+++ b/cmd/vfychain/vfychain.c

@@ -59,17 +59,18 @@ Usage(const char *progName)

             "\t-o oid\t\t Set policy OID for cert validation(Format OID.1.2.3)\n"

             "\t-p \t\t Use PKIX Library to validate certificate by calling:\n"

             "\t\t\t   * CERT_VerifyCertificate if specified once,\n"

             "\t\t\t   * CERT_PKIXVerifyCert if specified twice and more.\n"

             "\t-r\t\t Following certfile is raw binary DER (default)\n"

             "\t-t\t\t Following cert is explicitly trusted (overrides db trust).\n"

             "\t-u usage \t 0=SSL client, 1=SSL server, 2=SSL StepUp, 3=SSL CA,\n"

             "\t\t\t 4=Email signer, 5=Email recipient, 6=Object signer,\n"

-            "\t\t\t 9=ProtectedObjectSigner, 10=OCSP responder, 11=Any CA\n"

+            "\t\t\t 9=ProtectedObjectSigner, 10=OCSP responder, 11=Any CA,\n"

+            "\t\t\t 12=IPsec\n"

             "\t-T\t\t Trust both explicit trust anchors (-t) and the database.\n"

             "\t\t\t (Default is to only trust certificates marked -t, if there are any,\n"

             "\t\t\t or to trust the database if there are certificates marked -t.)\n"

             "\t-v\t\t Verbose mode. Prints root cert subject(double the\n"

             "\t\t\t argument for whole root cert info)\n"

             "\t-w password\t Database password.\n"

             "\t-W pwfile\t Password file.\n\n"

             "\tRevocation options for PKIX API(invoked with -pp options) is a\n"

diff --git a/lib/certdb/certdb.c b/lib/certdb/certdb.c

--- a/lib/certdb/certdb.c

+++ b/lib/certdb/certdb.c

@@ -441,16 +441,84 @@ cert_GetCertType(CERTCertificate *cert)

     nsCertType = cert_ComputeCertType(cert);

     /* Assert that it is safe to cast &cert->nsCertType to "PRInt32 *" */

     PORT_Assert(sizeof(cert->nsCertType) == sizeof(PRInt32));

     PR_ATOMIC_SET((PRInt32 *)&cert->nsCertType, nsCertType);

     return SECSuccess;

 }

+PRBool

+cert_EKUAllowsIPsecIKE(CERTCertificate *cert, PRBool *isCritical)

+{

+    SECStatus rv;

+    SECItem encodedExtKeyUsage;

+    CERTOidSequence *extKeyUsage = NULL;

+    PRBool result = PR_FALSE;

+

+    rv = CERT_GetExtenCriticality(cert->extensions,

+                                  SEC_OID_X509_EXT_KEY_USAGE,

+                                  isCritical);

+    if (rv != SECSuccess) {

+        *isCritical = PR_FALSE;

+    }

+

+    encodedExtKeyUsage.data = NULL;

+    rv = CERT_FindCertExtension(cert, SEC_OID_X509_EXT_KEY_USAGE,

+                                &encodedExtKeyUsage);

+    if (rv != SECSuccess) {

+        /* EKU not present, allowed. */

+        result = PR_TRUE;

+        goto done;

+    }

+

+    extKeyUsage = CERT_DecodeOidSequence(&encodedExtKeyUsage);

+    if (!extKeyUsage) {

+        /* failure */

+        goto done;

+    }

+

+    if (findOIDinOIDSeqByTagNum(extKeyUsage,

+                                SEC_OID_X509_ANY_EXT_KEY_USAGE) ==

+        SECSuccess) {

+        result = PR_TRUE;

+        goto done;

+    }

+

+    if (findOIDinOIDSeqByTagNum(extKeyUsage,

+                                SEC_OID_EXT_KEY_USAGE_IPSEC_IKE) ==

+        SECSuccess) {

+        result = PR_TRUE;

+        goto done;

+    }

+

+    if (findOIDinOIDSeqByTagNum(extKeyUsage,

+                                SEC_OID_IPSEC_IKE_END) ==

+        SECSuccess) {

+        result = PR_TRUE;

+        goto done;

+    }

+

+    if (findOIDinOIDSeqByTagNum(extKeyUsage,

+                                SEC_OID_IPSEC_IKE_INTERMEDIATE) ==

+        SECSuccess) {

+        result = PR_TRUE;

+        goto done;

+    }

+

+done:

+    if (encodedExtKeyUsage.data != NULL) {

+        PORT_Free(encodedExtKeyUsage.data);

+    }

+    if (extKeyUsage != NULL) {

+        CERT_DestroyOidSequence(extKeyUsage);

+    }

+    return result;

+}

+

 PRUint32

 cert_ComputeCertType(CERTCertificate *cert)

 {

     SECStatus rv;

     SECItem tmpitem;

     SECItem encodedExtKeyUsage;

     CERTOidSequence *extKeyUsage = NULL;

     PRBool basicConstraintPresent = PR_FALSE;

@@ -1078,16 +1146,20 @@ CERT_KeyUsageAndTypeForCertUsage(SECCert

             case certUsageSSLClient:

                 requiredKeyUsage = KU_KEY_CERT_SIGN;

                 requiredCertType = NS_CERT_TYPE_SSL_CA;

                 break;

             case certUsageSSLServer:

                 requiredKeyUsage = KU_KEY_CERT_SIGN;

                 requiredCertType = NS_CERT_TYPE_SSL_CA;

                 break;

+            case certUsageIPsec:

+                requiredKeyUsage = KU_KEY_CERT_SIGN;

+                requiredCertType = NS_CERT_TYPE_SSL_CA;

+                break;

             case certUsageSSLCA:

                 requiredKeyUsage = KU_KEY_CERT_SIGN;

                 requiredCertType = NS_CERT_TYPE_SSL_CA;

                 break;

             case certUsageEmailSigner:

                 requiredKeyUsage = KU_KEY_CERT_SIGN;

                 requiredCertType = NS_CERT_TYPE_EMAIL_CA;

                 break;

@@ -1120,16 +1192,21 @@ CERT_KeyUsageAndTypeForCertUsage(SECCert

                  */

                 requiredKeyUsage = KU_DIGITAL_SIGNATURE;

                 requiredCertType = NS_CERT_TYPE_SSL_CLIENT;

                 break;

             case certUsageSSLServer:

                 requiredKeyUsage = KU_KEY_AGREEMENT_OR_ENCIPHERMENT;

                 requiredCertType = NS_CERT_TYPE_SSL_SERVER;

                 break;

+            case certUsageIPsec:

+                /* RFC 4945 Section 5.1.3.2 */

+                requiredKeyUsage = KU_DIGITAL_SIGNATURE_OR_NON_REPUDIATION;

+                requiredCertType = 0;

+                break;

             case certUsageSSLServerWithStepUp:

                 requiredKeyUsage =

                     KU_KEY_AGREEMENT_OR_ENCIPHERMENT | KU_NS_GOVT_APPROVED;

                 requiredCertType = NS_CERT_TYPE_SSL_SERVER;

                 break;

             case certUsageSSLCA:

                 requiredKeyUsage = KU_KEY_CERT_SIGN;

                 requiredCertType = NS_CERT_TYPE_SSL_CA;

diff --git a/lib/certdb/certi.h b/lib/certdb/certi.h

--- a/lib/certdb/certi.h

+++ b/lib/certdb/certi.h

@@ -289,16 +289,19 @@ SECStatus cert_DestroyLocks(void);

 extern SECStatus cert_GetCertType(CERTCertificate* cert);

 /*

  * compute and return the value of nsCertType for cert, but do not

  * update the CERTCertificate.

  */

 extern PRUint32 cert_ComputeCertType(CERTCertificate* cert);

+extern PRBool cert_EKUAllowsIPsecIKE(CERTCertificate* cert,

+                                     PRBool* isCritical);

+

 void cert_AddToVerifyLog(CERTVerifyLog* log, CERTCertificate* cert,

                          long errorCode, unsigned int depth, void* arg);

 /* Insert a DER CRL into the CRL cache, and take ownership of it.

  *

  * cert_CacheCRLByGeneralName takes ownership of the memory in crl argument

  * completely.  crl must be freeable by SECITEM_FreeItem. It will be freed

  * immediately if it is rejected from the CRL cache, or later during cache

diff --git a/lib/certdb/certt.h b/lib/certdb/certt.h

--- a/lib/certdb/certt.h

+++ b/lib/certdb/certt.h

@@ -442,17 +442,18 @@ typedef enum SECCertUsageEnum {

     certUsageSSLCA = 3,

     certUsageEmailSigner = 4,

     certUsageEmailRecipient = 5,

     certUsageObjectSigner = 6,

     certUsageUserCertImport = 7,

     certUsageVerifyCA = 8,

     certUsageProtectedObjectSigner = 9,

     certUsageStatusResponder = 10,

-    certUsageAnyCA = 11

+    certUsageAnyCA = 11,

+    certUsageIPsec = 12

 } SECCertUsage;

 typedef PRInt64 SECCertificateUsage;

 #define certificateUsageCheckAllUsages (0x0000)

 #define certificateUsageSSLClient (0x0001)

 #define certificateUsageSSLServer (0x0002)

 #define certificateUsageSSLServerWithStepUp (0x0004)

@@ -460,18 +461,19 @@ typedef PRInt64 SECCertificateUsage;

 #define certificateUsageEmailSigner (0x0010)

 #define certificateUsageEmailRecipient (0x0020)

 #define certificateUsageObjectSigner (0x0040)

 #define certificateUsageUserCertImport (0x0080)

 #define certificateUsageVerifyCA (0x0100)

 #define certificateUsageProtectedObjectSigner (0x0200)

 #define certificateUsageStatusResponder (0x0400)

 #define certificateUsageAnyCA (0x0800)

+#define certificateUsageIPsec (0x1000)

-#define certificateUsageHighest certificateUsageAnyCA

+#define certificateUsageHighest certificateUsageIPsec

 /*

  * Does the cert belong to the user, a peer, or a CA.

  */

 typedef enum CERTCertOwnerEnum {

     certOwnerUser = 0,

     certOwnerPeer = 1,

     certOwnerCA = 2

diff --git a/lib/certhigh/certvfy.c b/lib/certhigh/certvfy.c

--- a/lib/certhigh/certvfy.c

+++ b/lib/certhigh/certvfy.c

@@ -284,16 +284,20 @@ CERT_TrustFlagsForCACertUsage(SECCertUsa

             requiredFlags = CERTDB_TRUSTED_CLIENT_CA;

             trustType = trustSSL;

             break;

         case certUsageSSLServer:

         case certUsageSSLCA:

             requiredFlags = CERTDB_TRUSTED_CA;

             trustType = trustSSL;

             break;

+        case certUsageIPsec:

+            requiredFlags = CERTDB_TRUSTED_CA;

+            trustType = trustSSL;

+            break;

         case certUsageSSLServerWithStepUp:

             requiredFlags = CERTDB_TRUSTED_CA | CERTDB_GOVT_APPROVED_CA;

             trustType = trustSSL;

             break;

         case certUsageEmailSigner:

         case certUsageEmailRecipient:

             requiredFlags = CERTDB_TRUSTED_CA;

             trustType = trustEmail;

@@ -574,16 +578,17 @@ cert_VerifyCertChainOld(CERTCertDBHandle

         EXIT_IF_NOT_LOGGING(log);

         requiredCAKeyUsage = 0;

         caCertType = 0;

     }

     switch (certUsage) {

         case certUsageSSLClient:

         case certUsageSSLServer:

+        case certUsageIPsec:

         case certUsageSSLCA:

         case certUsageSSLServerWithStepUp:

         case certUsageEmailSigner:

         case certUsageEmailRecipient:

         case certUsageObjectSigner:

         case certUsageVerifyCA:

         case certUsageAnyCA:

         case certUsageStatusResponder:

@@ -640,17 +645,18 @@ cert_VerifyCertChainOld(CERTCertDBHandle

          * certifcates (except leaf (EE) certs, root CAs, and self-issued

          * intermediate CAs) to be verified against the name constraints

          * extension of the issuer certificate.

          */

         if (subjectCertIsSelfIssued == PR_FALSE) {

             CERTGeneralName *subjectNameList;

             int subjectNameListLen;

             int i;

-            PRBool getSubjectCN = (!count && certUsage == certUsageSSLServer);

+            PRBool getSubjectCN = (!count &&

+                                   (certUsage == certUsageSSLServer || certUsage == certUsageIPsec));

             subjectNameList =

                 CERT_GetConstrainedCertificateNames(subjectCert, arena,

                                                     getSubjectCN);

             if (!subjectNameList)

                 goto loser;

             subjectNameListLen = CERT_GetNamesLength(subjectNameList);

             if (!subjectNameListLen)

                 goto loser;

@@ -981,16 +987,17 @@ CERT_VerifyCACertForUsage(CERTCertDBHand

         EXIT_IF_NOT_LOGGING(log);

         requiredCAKeyUsage = 0;

         caCertType = 0;

     }

     switch (certUsage) {

         case certUsageSSLClient:

         case certUsageSSLServer:

+        case certUsageIPsec:

         case certUsageSSLCA:

         case certUsageSSLServerWithStepUp:

         case certUsageEmailSigner:

         case certUsageEmailRecipient:

         case certUsageObjectSigner:

         case certUsageVerifyCA:

         case certUsageStatusResponder:

             if (CERT_TrustFlagsForCACertUsage(certUsage, &requiredFlags,

@@ -1166,16 +1173,17 @@ cert_CheckLeafTrust(CERTCertificate *cer

     *failedFlags = 0;

     *trusted = PR_FALSE;

     /* check trust flags to see if this cert is directly trusted */

     if (CERT_GetCertTrust(cert, &trust) == SECSuccess) {

         switch (certUsage) {

             case certUsageSSLClient:

             case certUsageSSLServer:

+            case certUsageIPsec:

                 flags = trust.sslFlags;

                 /* is the cert directly trusted or not trusted ? */

                 if (flags & CERTDB_TERMINAL_RECORD) { /* the trust record is

                             * authoritative */

                     if (flags & CERTDB_TRUSTED) {     /* trust this cert */

                         *trusted = PR_TRUE;

                         return SECSuccess;

@@ -1342,45 +1350,48 @@ CERT_VerifyCertificate(CERTCertDBHandle 

         /* we don't have a place to return status for all usages,

            so we can skip checks for usages that aren't required */

         checkAllUsages = PR_FALSE;

     }

     valid = SECSuccess; /* start off assuming cert is valid */

     /* make sure that the cert is valid at time t */

     allowOverride = (PRBool)((requiredUsages & certificateUsageSSLServer) ||

-                             (requiredUsages & certificateUsageSSLServerWithStepUp));

+                             (requiredUsages & certificateUsageSSLServerWithStepUp) ||

+                             (requiredUsages & certificateUsageIPsec));

     validity = CERT_CheckCertValidTimes(cert, t, allowOverride);

     if (validity != secCertTimeValid) {

         valid = SECFailure;

         LOG_ERROR_OR_EXIT(log, cert, 0, validity);

     }

     /* check key usage and netscape cert type */

     cert_GetCertType(cert);

     certType = cert->nsCertType;

     for (i = 1; i <= certificateUsageHighest &&

                 (SECSuccess == valid || returnedUsages || log);) {

+        PRBool typeAndEKUAllowed = PR_TRUE;

         PRBool requiredUsage = (i & requiredUsages) ? PR_TRUE : PR_FALSE;

         if (PR_FALSE == requiredUsage && PR_FALSE == checkAllUsages) {

             NEXT_USAGE();

         }

         if (returnedUsages) {

             *returnedUsages |= i; /* start off assuming this usage is valid */

         }

         switch (certUsage) {

             case certUsageSSLClient:

             case certUsageSSLServer:

             case certUsageSSLServerWithStepUp:

             case certUsageSSLCA:

             case certUsageEmailSigner:

             case certUsageEmailRecipient:

             case certUsageObjectSigner:

             case certUsageStatusResponder:

+            case certUsageIPsec:

                 rv = CERT_KeyUsageAndTypeForCertUsage(certUsage, PR_FALSE,

                                                       &requiredKeyUsage,

                                                       &requiredCertType);

                 if (rv != SECSuccess) {

                     PORT_Assert(0);

                     /* EXIT_IF_NOT_LOGGING(log); XXX ??? */

                     requiredKeyUsage = 0;

                     requiredCertType = 0;

@@ -1403,17 +1414,29 @@ CERT_VerifyCertificate(CERTCertDBHandle 

         }

         if (CERT_CheckKeyUsage(cert, requiredKeyUsage) != SECSuccess) {

             if (PR_TRUE == requiredUsage) {

                 PORT_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE);

             }

             LOG_ERROR(log, cert, 0, requiredKeyUsage);

             INVALID_USAGE();

         }

-        if (!(certType & requiredCertType)) {

+        if (certUsage != certUsageIPsec) {

+            if (!(certType & requiredCertType)) {

+                typeAndEKUAllowed = PR_FALSE;

+            }

+        } else {

+            PRBool isCritical;

+            PRBool allowed = cert_EKUAllowsIPsecIKE(cert, &isCritical);

+            /* If the extension isn't critical, we allow any EKU value. */

+            if (isCritical && !allowed) {

+                typeAndEKUAllowed = PR_FALSE;

+            }

+        }

+        if (!typeAndEKUAllowed) {

             if (PR_TRUE == requiredUsage) {

                 PORT_SetError(SEC_ERROR_INADEQUATE_CERT_TYPE);

             }

             LOG_ERROR(log, cert, 0, requiredCertType);

             INVALID_USAGE();

         }

         rv = cert_CheckLeafTrust(cert, certUsage, &flags, &trusted);

@@ -1503,29 +1526,31 @@ cert_VerifyCertWithFlags(CERTCertDBHandl

     if (rv != SECSuccess) {

         PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE);

         LOG_ERROR_OR_EXIT(log, cert, 0, 0);

     }

 #endif

     /* make sure that the cert is valid at time t */

     allowOverride = (PRBool)((certUsage == certUsageSSLServer) ||

-                             (certUsage == certUsageSSLServerWithStepUp));

+                             (certUsage == certUsageSSLServerWithStepUp) ||

+                             (certUsage == certUsageIPsec));

     validity = CERT_CheckCertValidTimes(cert, t, allowOverride);

     if (validity != secCertTimeValid) {

         LOG_ERROR_OR_EXIT(log, cert, 0, validity);

     }

     /* check key usage and netscape cert type */

     cert_GetCertType(cert);

     certType = cert->nsCertType;

     switch (certUsage) {

         case certUsageSSLClient:

         case certUsageSSLServer:

         case certUsageSSLServerWithStepUp:

+        case certUsageIPsec:

         case certUsageSSLCA:

         case certUsageEmailSigner:

         case certUsageEmailRecipient:

         case certUsageObjectSigner:

         case certUsageStatusResponder:

             rv = CERT_KeyUsageAndTypeForCertUsage(certUsage, PR_FALSE,

                                                   &requiredKeyUsage,

                                                   &requiredCertType);

@@ -1628,16 +1653,17 @@ CERT_VerifyCertNow(CERTCertDBHandle *han

 }

 /* [ FROM pcertdb.c ] */

 /*

  * Supported usage values and types:

  *  certUsageSSLClient

  *  certUsageSSLServer

  *  certUsageSSLServerWithStepUp

+ *  certUsageIPsec

  *  certUsageEmailSigner

  *  certUsageEmailRecipient

  *  certUsageObjectSigner

  */

 CERTCertificate *

 CERT_FindMatchingCert(CERTCertDBHandle *handle, SECItem *derName,

                       CERTCertOwner owner, SECCertUsage usage,

diff --git a/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c b/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c

--- a/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c

+++ b/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c

@@ -2909,17 +2909,18 @@ PKIX_PL_Cert_CheckValidity(

                         PKIX_DATEGETPRTIMEFAILED);

         } else {

                 timeToCheck = PR_Now();

         }

         requiredUsages = ((PKIX_PL_NssContext*)plContext)->certificateUsage;

         allowOverride =

             (PRBool)((requiredUsages & certificateUsageSSLServer) ||

-                     (requiredUsages & certificateUsageSSLServerWithStepUp));

+                     (requiredUsages & certificateUsageSSLServerWithStepUp) ||

+                     (requiredUsages & certificateUsageIPsec));

         val = CERT_CheckCertValidTimes(cert->nssCert, timeToCheck, allowOverride);

         if (val != secCertTimeValid){

                 PKIX_ERROR(PKIX_CERTCHECKCERTVALIDTIMESFAILED);

         }

 cleanup:

         PKIX_RETURN(CERT);

 }

@@ -2996,18 +2997,27 @@ PKIX_PL_Cert_VerifyCertAndKeyType(

         /* use this key usage and cert type for certUsageAnyCA and

          * certUsageVerifyCA. */

 	requiredKeyUsage = KU_KEY_CERT_SIGN;

 	requiredCertType = NS_CERT_TYPE_CA;

     }

     if (CERT_CheckKeyUsage(cert->nssCert, requiredKeyUsage) != SECSuccess) {

         PKIX_ERROR(PKIX_CERTCHECKKEYUSAGEFAILED);

     }

-    if (!(certType & requiredCertType)) {

-        PKIX_ERROR(PKIX_CERTCHECKCERTTYPEFAILED);

+    if (certUsage != certUsageIPsec) {

+        if (!(certType & requiredCertType)) {

+            PKIX_ERROR(PKIX_CERTCHECKCERTTYPEFAILED);

+        }

+    } else {

+        PRBool isCritical;

+        PRBool allowed = cert_EKUAllowsIPsecIKE(cert->nssCert, &isCritical);

+        /* If the extension isn't critical, we allow any EKU value. */

+        if (isCritical && !allowed) {

+            PKIX_ERROR(PKIX_CERTCHECKCERTTYPEFAILED);

+        }

     }

 cleanup:

     PKIX_DECREF(basicConstraints);

     PKIX_RETURN(CERT);

 }

 /*

  * FUNCTION: PKIX_PL_Cert_VerifyKeyUsage (see comments in pkix_pl_pki.h)

diff --git a/tests/chains/chains.sh b/tests/chains/chains.sh

--- a/tests/chains/chains.sh

+++ b/tests/chains/chains.sh

@@ -347,16 +347,22 @@ create_cert_req()

     OPTIONS=

     if [ "${TYPE}" != "EE" ]; then

         CA_FLAG="-2"

         EXT_DATA="y

 -1

 y

 "

+    else

+        CA_FLAG="-2"

+        EXT_DATA="n

+-1

+y

+"

     fi

     process_crldp

     echo "${EXT_DATA}" > ${CU_DATA}

     TESTNAME="Creating ${TYPE} certifiate request ${REQ}"

     echo "${SCRIPTNAME}: ${TESTNAME}"

@@ -1253,16 +1259,22 @@ process_scenario()

     while read AIA_FILE

     do

 	rm ${AIA_FILE} 2> /dev/null

     done < ${AIA_FILES}

     rm ${AIA_FILES}

 }

+# process ipsec.cfg separately

+chains_ipsec()

+{

+    process_scenario "ipsec.cfg"

+}

+

 # process ocspd.cfg separately

 chains_ocspd()

 {

     process_scenario "ocspd.cfg"

 }

 # process ocsp.cfg separately

 chains_method()

@@ -1274,29 +1286,31 @@ chains_method()

 # local shell function to process all testing scenarios

 ########################################################################

 chains_main()

 {

     while read LINE 

     do

         [ `echo ${LINE} | cut -b 1` != "#" ] || continue

+	[ ${LINE} != 'ipsec.cfg' ] || continue