Hi Tobias, I will change the remote certificate key usage value to something not compliant with RFC 4945.
As per RFC 4945: 5.1.3.2. KeyUsage IKE uses an end-entity certificate in the authentication process. The end-entity certificate may be used for multiple applications. As such, the CA can impose some constraints on the manner that a public key ought to be used. The KeyUsage (KU) and ExtendedKeyUsage (EKU) extensions apply in this situation. Since we are talking about using the public key to validate a signature, if the KeyUsage extension is present, then at least one of the digitalSignature or the nonRepudiation bits in the KeyUsage extension MUST be set (both can be set as well). It is also fine if other KeyUsage bits are set. A summary of the logic flow for peer cert validation follows: o If no KU extension, continue. o If KU present and doesn't mention digitalSignature or nonRepudiation (both, in addition to other KUs, is also fine), reject cert. o If none of the above, continue. Regards simon On Mon, Dec 7, 2020 at 1:08 AM Tobias Brunner <[email protected]> wrote: > Hi Simon, > > > I am specifically looking for interfacing my application with charon for > > getting notification of a failure in the case of a remote certificate > > parsing failed for key usage extension. > > How do you expect parsing of that extension to fail? > > Regards, > Tobias >
