From c73a99bbca4d7469a4be0b41be14c274b07ef480 Mon Sep 17 00:00:00 2001
From: Martin Nilsson <nilsson@opera.com>
Date: Sat, 26 Apr 2014 23:23:42 +0200
Subject: [PATCH] Future proofing.

---
 lib/modules/Standards.pmod/X509.pmod | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/modules/Standards.pmod/X509.pmod b/lib/modules/Standards.pmod/X509.pmod
index 82715d1976..6d2c8fa8bc 100644
--- a/lib/modules/Standards.pmod/X509.pmod
+++ b/lib/modules/Standards.pmod/X509.pmod
@@ -49,6 +49,7 @@ protected enum keyUsage {
   cRLSign           = 1<<6,
   encipherOnly      = 1<<7,
   decipherOnly      = 1<<8,
+  last_keyUsage     = 1<<9, // end marker
 };
 
 // Generates the reverse int for keyUsage.
@@ -1250,7 +1251,8 @@ TBSCertificate verify_ca_certificate(string|TBSCertificate tbs)
   }
   // FIXME: RFC 5759 also requires CRLSign set.
   if( tbs->ext_keyUsage &
-      (~(keyCertSign | cRLSign | digitalSignature | nonRepudiation)&0xffff) )
+      (~(keyCertSign | cRLSign | digitalSignature |
+         nonRepudiation)&(last_keyUsage-1)) )
   {
     DBG("verify ca: illegal CA uses in id-ce-keyUsage.\n");
     return 0;
-- 
GitLab