zeroc-ice 3.7.6 → 3.7.7

data/ext/ice/cpp/src/Ice/Thread.cpp

@@ -714,9 +714,9 @@ IceUtil::Thread::start(size_t stackSize, bool realtimeScheduling, int priority)
     }
     if(stackSize > 0)
     {
-        if(stackSize < PTHREAD_STACK_MIN)
+        if(stackSize < static_cast<size_t>(PTHREAD_STACK_MIN))
         {
-            stackSize = PTHREAD_STACK_MIN;
+            stackSize = static_cast<size_t>(PTHREAD_STACK_MIN);
         }
 #ifdef __APPLE__
         if(stackSize % 4096 > 0)

data/ext/ice/cpp/src/Ice/ThreadPool.cpp

@@ -17,6 +17,10 @@
 #   include <Ice/StringConverter.h>
 #endif
 
+#if defined(__FreeBSD__)
+#   include <sys/sysctl.h>
+#endif
+
 using namespace std;
 using namespace Ice;
 using namespace Ice::Instrumentation;
@@ -303,8 +307,8 @@ IceInternal::ThreadPool::ThreadPool(const InstancePtr& instance, const string& p
     int nProcessors = sysInfo.dwNumberOfProcessors;
 #   elif defined(__FreeBSD__) || defined(__FreeBSD_kernel__)
     static int ncpu[2] = { CTL_HW, HW_NCPU };
-    size_t sz = sizeof(nProcessors);
     int nProcessors;
+    size_t sz = sizeof(nProcessors);
     if(sysctl(ncpu, 2, &nProcessors, &sz, 0, 0) == -1)
     {
         nProcessors = 1;

data/ext/ice/cpp/src/Ice/ValueFactory.cpp

@@ -2,7 +2,7 @@
 // Copyright (c) ZeroC, Inc. All rights reserved.
 //
 //
-// Ice version 3.7.6
+// Ice version 3.7.7
 //
 // <auto-generated>
 //
@@ -37,7 +37,7 @@
 #   if ICE_INT_VERSION % 100 >= 50
 #       error Beta header file detected
 #   endif
-#   if ICE_INT_VERSION % 100 < 6
+#   if ICE_INT_VERSION % 100 < 7
 #       error Ice patch level mismatch!
 #   endif
 #endif

data/ext/ice/cpp/src/Ice/Version.cpp

@@ -2,7 +2,7 @@
 // Copyright (c) ZeroC, Inc. All rights reserved.
 //
 //
-// Ice version 3.7.6
+// Ice version 3.7.7
 //
 // <auto-generated>
 //
@@ -37,7 +37,7 @@
 #   if ICE_INT_VERSION % 100 >= 50
 #       error Beta header file detected
 #   endif
-#   if ICE_INT_VERSION % 100 < 6
+#   if ICE_INT_VERSION % 100 < 7
 #       error Ice patch level mismatch!
 #   endif
 #endif

data/ext/ice/cpp/src/IceDiscovery/IceDiscovery.cpp

@@ -2,7 +2,7 @@
 // Copyright (c) ZeroC, Inc. All rights reserved.
 //
 //
-// Ice version 3.7.6
+// Ice version 3.7.7
 //
 // <auto-generated>
 //
@@ -37,7 +37,7 @@
 #   if ICE_INT_VERSION % 100 >= 50
 #       error Beta header file detected
 #   endif
-#   if ICE_INT_VERSION % 100 < 6
+#   if ICE_INT_VERSION % 100 < 7
 #       error Ice patch level mismatch!
 #   endif
 #endif

data/ext/ice/cpp/src/IceDiscovery/IceDiscovery.h

@@ -2,7 +2,7 @@
 // Copyright (c) ZeroC, Inc. All rights reserved.
 //
 //
-// Ice version 3.7.6
+// Ice version 3.7.7
 //
 // <auto-generated>
 //
@@ -42,7 +42,7 @@
 #   if ICE_INT_VERSION % 100 >= 50
 #       error Beta header file detected
 #   endif
-#   if ICE_INT_VERSION % 100 < 6
+#   if ICE_INT_VERSION % 100 < 7
 #       error Ice patch level mismatch!
 #   endif
 #endif

data/ext/ice/cpp/src/IceLocatorDiscovery/IceLocatorDiscovery.cpp

@@ -2,7 +2,7 @@
 // Copyright (c) ZeroC, Inc. All rights reserved.
 //
 //
-// Ice version 3.7.6
+// Ice version 3.7.7
 //
 // <auto-generated>
 //
@@ -38,7 +38,7 @@
 #   if ICE_INT_VERSION % 100 >= 50
 #       error Beta header file detected
 #   endif
-#   if ICE_INT_VERSION % 100 < 6
+#   if ICE_INT_VERSION % 100 < 7
 #       error Ice patch level mismatch!
 #   endif
 #endif

data/ext/ice/cpp/src/IceLocatorDiscovery/IceLocatorDiscovery.h

@@ -2,7 +2,7 @@
 // Copyright (c) ZeroC, Inc. All rights reserved.
 //
 //
-// Ice version 3.7.6
+// Ice version 3.7.7
 //
 // <auto-generated>
 //
@@ -44,7 +44,7 @@
 #   if ICE_INT_VERSION % 100 >= 50
 #       error Beta header file detected
 #   endif
-#   if ICE_INT_VERSION % 100 < 6
+#   if ICE_INT_VERSION % 100 < 7
 #       error Ice patch level mismatch!
 #   endif
 #endif

data/ext/ice/cpp/src/IceSSL/CertificateI.cpp

@@ -6,7 +6,7 @@
 #include <IceUtil/Mutex.h>
 #include <IceUtil/MutexPtrLock.h>
 #include <IceUtil/StringUtil.h>
-#include <IceSSL/Plugin.h>
+#include <IceSSL/PluginI.h>
 #include <IceSSL/Util.h>
 #include <IceSSL/RFC2253.h>
 #include <IceSSL/CertificateI.h>
@@ -277,3 +277,25 @@ CertificateI::toString() const
     os << "subject: " << string(getSubjectDN()) << "\n";
     return os.str();
 }
+
+unsigned int
+Certificate::getKeyUsage() const
+{
+    const CertificateExtendedInfo* impl = dynamic_cast<const CertificateExtendedInfo*>(this);
+    if(impl)
+    {
+        return impl->getKeyUsage();
+    }
+    return 0;
+}
+
+unsigned int
+Certificate::getExtendedKeyUsage() const
+{
+    const CertificateExtendedInfo* impl = dynamic_cast<const CertificateExtendedInfo*>(this);
+    if(impl)
+    {
+        return impl->getExtendedKeyUsage();
+    }
+    return 0;
+}

data/ext/ice/cpp/src/IceSSL/ConnectionInfo.cpp

@@ -2,7 +2,7 @@
 // Copyright (c) ZeroC, Inc. All rights reserved.
 //
 //
-// Ice version 3.7.6
+// Ice version 3.7.7
 //
 // <auto-generated>
 //
@@ -37,7 +37,7 @@
 #   if ICE_INT_VERSION % 100 >= 50
 #       error Beta header file detected
 #   endif
-#   if ICE_INT_VERSION % 100 < 6
+#   if ICE_INT_VERSION % 100 < 7
 #       error Ice patch level mismatch!
 #   endif
 #endif

data/ext/ice/cpp/src/IceSSL/ConnectionInfoF.cpp

@@ -2,7 +2,7 @@
 // Copyright (c) ZeroC, Inc. All rights reserved.
 //
 //
-// Ice version 3.7.6
+// Ice version 3.7.7
 //
 // <auto-generated>
 //
@@ -35,7 +35,7 @@
 #   if ICE_INT_VERSION % 100 >= 50
 #       error Beta header file detected
 #   endif
-#   if ICE_INT_VERSION % 100 < 6
+#   if ICE_INT_VERSION % 100 < 7
 #       error Ice patch level mismatch!
 #   endif
 #endif

data/ext/ice/cpp/src/IceSSL/EndpointInfo.cpp

@@ -2,7 +2,7 @@
 // Copyright (c) ZeroC, Inc. All rights reserved.
 //
 //
-// Ice version 3.7.6
+// Ice version 3.7.7
 //
 // <auto-generated>
 //
@@ -37,7 +37,7 @@
 #   if ICE_INT_VERSION % 100 >= 50
 #       error Beta header file detected
 #   endif
-#   if ICE_INT_VERSION % 100 < 6
+#   if ICE_INT_VERSION % 100 < 7
 #       error Ice patch level mismatch!
 #   endif
 #endif

data/ext/ice/cpp/src/IceSSL/OpenSSLCertificateI.cpp

@@ -2,7 +2,7 @@
 // Copyright (c) ZeroC, Inc. All rights reserved.
 //
 
-#include <IceSSL/Plugin.h>
+#include <IceSSL/PluginI.h>
 #include <IceSSL/OpenSSL.h>
 #include <IceSSL/CertificateI.h>
 #include <IceSSL/OpenSSLUtil.h>
@@ -39,6 +39,12 @@ extern "C" typedef void (*FreeFunc)(void*);
 
 #endif
 
+#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER < 0x10100000L
+#   define X509_get_extension_flags(x) (x->ex_flags)
+#   define X509_get_key_usage(x)  (x->ex_kusage)
+#   define X509_get_extended_key_usage(x)  (x->ex_xkusage)
+#endif
+
 namespace
 {
 
@@ -257,6 +263,7 @@ private:
 
 class OpenSSLCertificateI : public IceSSL::OpenSSL::Certificate,
                             public CertificateI,
+                            public IceSSL::CertificateExtendedInfo,
                             public IceUtil::Mutex
 {
 public:
@@ -285,6 +292,8 @@ public:
     virtual vector<pair<int, string> > getSubjectAlternativeNames() const;
     virtual int getVersion() const;
     virtual x509_st* getCert() const;
+    virtual unsigned int getKeyUsage() const;
+    virtual unsigned int getExtendedKeyUsage() const;
 
 protected:
 
@@ -542,6 +551,94 @@ OpenSSLCertificateI::loadX509Extensions() const
     }
 }
 
+unsigned int
+OpenSSLCertificateI::getKeyUsage() const
+{
+    unsigned int keyUsage = 0;
+    int flags = X509_get_extension_flags(_cert);
+    if(flags & EXFLAG_KUSAGE)
+    {
+        unsigned int kusage = X509_get_key_usage(_cert);
+        if(kusage & KU_DIGITAL_SIGNATURE)
+        {
+            keyUsage |= KEY_USAGE_DIGITAL_SIGNATURE;
+        }
+        if(kusage & KU_NON_REPUDIATION)
+        {
+            keyUsage |= KEY_USAGE_NON_REPUDIATION;
+        }
+        if(kusage & KU_KEY_ENCIPHERMENT)
+        {
+            keyUsage |= KEY_USAGE_KEY_ENCIPHERMENT;
+        }
+        if(kusage & KU_DATA_ENCIPHERMENT)
+        {
+            keyUsage |= KEY_USAGE_DATA_ENCIPHERMENT;
+        }
+        if(kusage & KU_KEY_AGREEMENT)
+        {
+            keyUsage |= KEY_USAGE_KEY_AGREEMENT;
+        }
+        if(kusage & KU_KEY_CERT_SIGN)
+        {
+            keyUsage |= KEY_USAGE_KEY_CERT_SIGN;
+        }
+        if(kusage & KU_CRL_SIGN)
+        {
+            keyUsage |= KEY_USAGE_CRL_SIGN;
+        }
+        if(kusage & KU_ENCIPHER_ONLY)
+        {
+            keyUsage |= KEY_USAGE_ENCIPHER_ONLY;
+        }
+        if(kusage & KU_DECIPHER_ONLY)
+        {
+            keyUsage |= KEY_USAGE_DECIPHER_ONLY;
+        }
+    }
+    return keyUsage;
+}
+
+unsigned int
+OpenSSLCertificateI::getExtendedKeyUsage() const
+{
+    unsigned int extendedKeyUsage = 0;
+    int flags = X509_get_extension_flags(_cert);
+    if(flags & EXFLAG_XKUSAGE)
+    {
+        unsigned int xkusage = X509_get_extended_key_usage(_cert);
+        if(xkusage & XKU_ANYEKU)
+        {
+            extendedKeyUsage |= EXTENDED_KEY_USAGE_ANY_KEY_USAGE;
+        }
+        if(xkusage & XKU_SSL_SERVER)
+        {
+            extendedKeyUsage |= EXTENDED_KEY_USAGE_SERVER_AUTH;
+        }
+        if(xkusage & XKU_SSL_CLIENT)
+        {
+            extendedKeyUsage |= EXTENDED_KEY_USAGE_CLIENT_AUTH;
+        }
+        if(xkusage & XKU_CODE_SIGN)
+        {
+            extendedKeyUsage |= EXTENDED_KEY_USAGE_CODE_SIGNING;
+        }
+        if(xkusage & XKU_SMIME)
+        {
+            extendedKeyUsage |= EXTENDED_KEY_USAGE_EMAIL_PROTECTION;
+        }
+        if(xkusage & XKU_TIMESTAMP)
+        {
+            extendedKeyUsage |= EXTENDED_KEY_USAGE_TIME_STAMPING;
+        }
+        if(xkusage & XKU_OCSP_SIGN)
+        {
+            extendedKeyUsage |= EXTENDED_KEY_USAGE_OCSP_SIGNING;
+        }
+    }
+    return extendedKeyUsage;
+}
+
 IceSSL::OpenSSL::CertificatePtr
 IceSSL::OpenSSL::Certificate::create(x509_st* cert)
 {
@@ -559,12 +656,16 @@ IceSSL::OpenSSL::Certificate::load(const std::string& file)
     }
 
     x509_st* x = PEM_read_bio_X509(cert, ICE_NULLPTR, ICE_NULLPTR, ICE_NULLPTR);
+    BIO_free(cert);
     if(x == ICE_NULLPTR)
     {
-        BIO_free(cert);
         throw CertificateReadException(__FILE__, __LINE__, "error reading file:\n" + getSslErrors(false));
     }
-    BIO_free(cert);
+    // Calling it with -1 for the side effects, this ensure that the extensions info is loaded
+    if(X509_check_purpose(x, -1, -1) == -1)
+    {
+        throw CertificateReadException(__FILE__, __LINE__, "error loading certificate:\n" + getSslErrors(false));
+    }
     return ICE_MAKE_SHARED(OpenSSLCertificateI, x);
 }
 
@@ -573,11 +674,15 @@ IceSSL::OpenSSL::Certificate::decode(const std::string& encoding)
 {
     BIO *cert = BIO_new_mem_buf(static_cast<void*>(const_cast<char*>(&encoding[0])), static_cast<int>(encoding.size()));
     x509_st* x = PEM_read_bio_X509(cert, ICE_NULLPTR, ICE_NULLPTR, ICE_NULLPTR);
+    BIO_free(cert);
     if(x == ICE_NULLPTR)
     {
-        BIO_free(cert);
         throw CertificateEncodingException(__FILE__, __LINE__, getSslErrors(false));
     }
-    BIO_free(cert);
+    // Calling it with -1 for the side effects, this ensure that the extensions info is loaded
+    if(X509_check_purpose(x, -1, -1) == -1)
+    {
+        throw CertificateReadException(__FILE__, __LINE__, "error loading certificate:\n" + getSslErrors(false));
+    }
     return ICE_MAKE_SHARED(OpenSSLCertificateI, x);
 }

data/ext/ice/cpp/src/IceSSL/OpenSSLEngine.cpp

@@ -28,6 +28,9 @@
 
 #ifdef _MSC_VER
 #   pragma warning(disable:4127) // conditional expression is constant
+#elif defined(__GNUC__)
+#  // Ignore OpenSSL 3.0 deprecation warning
+#  pragma GCC diagnostic ignored "-Wdeprecated-declarations"
 #endif
 
 using namespace std;
@@ -816,7 +819,7 @@ OpenSSL::SSLEngine::initialize()
                             if(!_dhParams->add(keyLength, file))
                             {
                                 throw PluginInitializationException(__FILE__, __LINE__,
-                                                                "IceSSL: unable to read DH parameter file " + file);
+                                                                    "IceSSL: unable to read DH parameter file " + file);
                             }
                         }
                     }
@@ -824,6 +827,62 @@ OpenSSL::SSLEngine::initialize()
                 }
             }
 
+            int revocationCheck = getRevocationCheck();
+            if(revocationCheck > 0)
+            {
+                vector<string> crlFiles =
+                    properties->getPropertyAsList(propPrefix + "CertificateRevocationListFiles");
+                if(crlFiles.empty())
+                {
+                    throw PluginInitializationException(
+                        __FILE__,
+                        __LINE__,
+                        "IceSSL: cannot enable revocation checks without setting certificate revocation list files");
+                }
+
+                X509_STORE* store = SSL_CTX_get_cert_store(_ctx);
+                if(!store)
+                {
+                    throw PluginInitializationException(
+                        __FILE__,
+                        __LINE__,
+                        "IceSSL: unable to obtain the certificate store");
+                }
+
+                X509_LOOKUP* lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
+                if(!lookup)
+                {
+                    throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: add lookup failed");
+                }
+
+                for(vector<string>::const_iterator it = crlFiles.begin(); it != crlFiles.end(); it++)
+                {
+                    string file;
+                    if(!checkPath(*it, defaultDir, false, file))
+                    {
+                        throw PluginInitializationException(
+                            __FILE__,
+                            __LINE__,
+                            "IceSSL: CRL file not found `" + *it + "'");
+                    }
+
+                    if(X509_LOOKUP_load_file(lookup, file.c_str(), X509_FILETYPE_PEM) == 0)
+                    {
+                        throw PluginInitializationException(
+                            __FILE__,
+                            __LINE__,
+                            "IceSSL: CRL load failure `" + *it + "'");
+                    }
+                }
+
+                unsigned long flags = X509_V_FLAG_CRL_CHECK;
+                if(revocationCheck > 1)
+                {
+                    flags |= X509_V_FLAG_CRL_CHECK_ALL;
+                }
+                X509_STORE_set_flags(store, flags);
+            }
+
             SSL_CTX_set_mode(_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
         }
 

data/ext/ice/cpp/src/IceSSL/OpenSSLUtil.cpp

@@ -10,6 +10,8 @@
 //
 #if defined(__GNUC__)
 #  pragma GCC diagnostic ignored "-Wold-style-cast"
+#  // Ignore OpenSSL 3.0 deprecation warning
+#  pragma GCC diagnostic ignored "-Wdeprecated-declarations"
 #endif
 
 using namespace std;

data/ext/ice/cpp/src/IceSSL/PluginI.h

@@ -22,6 +22,17 @@ public:
 };
 ICE_DEFINE_PTR(ExtendedConnectionInfoPtr, ExtendedConnectionInfo);
 
+// TODO: This class provides new certificate virtual methods that canot be added directly to the certificate class
+// without breaking binary compatibility. The class can be removed once the relevant methods can be marked as virtual in
+// the certificate class in the next major release (3.8.x).
+class ICESSL_API CertificateExtendedInfo
+{
+public:
+
+    virtual unsigned int getKeyUsage() const = 0;
+    virtual unsigned int getExtendedKeyUsage() const = 0;
+};
+
 class ICESSL_API PluginI : public virtual IceSSL::Plugin
 {
 public:

data/ext/ice/cpp/src/IceSSL/SChannelCertificateI.cpp

@@ -2,7 +2,7 @@
 // Copyright (c) ZeroC, Inc. All rights reserved.
 //
 
-#include <IceSSL/Plugin.h>
+#include <IceSSL/PluginI.h>
 #include <IceSSL/SChannel.h>
 #include <IceSSL/CertificateI.h>
 #include <IceSSL/Util.h>
@@ -59,6 +59,7 @@ private:
 
 class SChannelCertificateI : public SChannel::Certificate,
                              public CertificateI,
+                             public IceSSL::CertificateExtendedInfo,
                              public IceUtil::Mutex
 {
 public:
@@ -94,6 +95,9 @@ protected:
 
 private:
 
+    virtual unsigned int getKeyUsage() const;
+    virtual unsigned int getExtendedKeyUsage() const;
+
     CERT_SIGNED_CONTENT_INFO* _cert;
     CERT_INFO* _certInfo;
     CertInfoHolderPtr _certInfoHolder;
@@ -557,6 +561,143 @@ SChannelCertificateI::loadX509Extensions() const
     }
 }
 
+unsigned int
+SChannelCertificateI::getKeyUsage() const
+{
+    unsigned int keyUsage = 0;
+    BYTE usage[2];
+    if(CertGetIntendedKeyUsage(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, _certInfo, usage, 2))
+    {
+        if (usage[0] & CERT_DIGITAL_SIGNATURE_KEY_USAGE)
+        {
+            keyUsage |= KEY_USAGE_DIGITAL_SIGNATURE;
+        }
+        if (usage[0] & CERT_NON_REPUDIATION_KEY_USAGE)
+        {
+            keyUsage |= KEY_USAGE_NON_REPUDIATION;
+        }
+        if (usage[0] & CERT_KEY_ENCIPHERMENT_KEY_USAGE)
+        {
+            keyUsage |= KEY_USAGE_KEY_ENCIPHERMENT;
+        }
+        if (usage[0] & CERT_DATA_ENCIPHERMENT_KEY_USAGE)
+        {
+            keyUsage |= KEY_USAGE_DATA_ENCIPHERMENT;
+        }
+        if (usage[0] & CERT_KEY_AGREEMENT_KEY_USAGE)
+        {
+            keyUsage |= KEY_USAGE_KEY_AGREEMENT;
+        }
+        if (usage[0] & CERT_KEY_CERT_SIGN_KEY_USAGE)
+        {
+            keyUsage |= KEY_USAGE_KEY_CERT_SIGN;
+        }
+        if(usage[0] & CERT_CRL_SIGN_KEY_USAGE)
+        {
+            keyUsage |= KEY_USAGE_CRL_SIGN;
+        }
+        if(usage[0] & CERT_ENCIPHER_ONLY_KEY_USAGE)
+        {
+            keyUsage |= KEY_USAGE_ENCIPHER_ONLY;
+        }
+        if(usage[1] & CERT_DECIPHER_ONLY_KEY_USAGE)
+        {
+            keyUsage |= KEY_USAGE_DECIPHER_ONLY;
+        }
+    }
+    else if(GetLastError())
+    {
+        throw CertificateEncodingException(__FILE__, __LINE__, IceUtilInternal::lastErrorToString());
+    }
+    return keyUsage;
+}
+
+unsigned int
+SChannelCertificateI::getExtendedKeyUsage() const
+{
+    unsigned int extendedKeyUsage = 0;
+    const CERT_CONTEXT* certContext = CertCreateCertificateContext(X509_ASN_ENCODING,
+                                                                   _cert->ToBeSigned.pbData,
+                                                                   _cert->ToBeSigned.cbData);
+    if(certContext == 0)
+    {
+        throw CertificateEncodingException(__FILE__, __LINE__, IceUtilInternal::lastErrorToString());
+    }
+    try
+    {
+        DWORD cbUsage;
+        if(!CertGetEnhancedKeyUsage(certContext, 0, 0, &cbUsage))
+        {
+            if(GetLastError() == CRYPT_E_NOT_FOUND)
+            {
+                return 0;
+            }
+            else
+            {
+                throw CertificateEncodingException(__FILE__, __LINE__, IceUtilInternal::lastErrorToString());
+            }
+        }
+
+        if (cbUsage > 0)
+        {
+            vector<unsigned char> pUsage;
+            pUsage.resize(cbUsage);
+            if(!CertGetEnhancedKeyUsage(certContext, 0, reinterpret_cast<CERT_ENHKEY_USAGE*>(&pUsage[0]), &cbUsage))
+            {
+                if(GetLastError() == CRYPT_E_NOT_FOUND)
+                {
+                    return 0;
+                }
+                else
+                {
+                    throw CertificateEncodingException(__FILE__, __LINE__, IceUtilInternal::lastErrorToString());
+                }
+            }
+
+            CERT_ENHKEY_USAGE* enkeyUsage = reinterpret_cast<CERT_ENHKEY_USAGE*>(&pUsage[0]);
+            for(DWORD i = 0; i < enkeyUsage->cUsageIdentifier; i++)
+            {
+                LPSTR oid = enkeyUsage->rgpszUsageIdentifier[i];
+                if(strcmp(oid, szOID_ANY_ENHANCED_KEY_USAGE) == 0)
+                {
+                    extendedKeyUsage |= EXTENDED_KEY_USAGE_ANY_KEY_USAGE;
+                }
+                if(strcmp(oid, szOID_PKIX_KP_SERVER_AUTH) == 0)
+                {
+                    extendedKeyUsage |= EXTENDED_KEY_USAGE_SERVER_AUTH;
+                }
+                if(strcmp(oid, szOID_PKIX_KP_CLIENT_AUTH) == 0)
+                {
+                    extendedKeyUsage |= EXTENDED_KEY_USAGE_CLIENT_AUTH;
+                }
+                if(strcmp(oid, szOID_PKIX_KP_CODE_SIGNING) == 0)
+                {
+                    extendedKeyUsage |= EXTENDED_KEY_USAGE_CODE_SIGNING;
+                }
+                if(strcmp(oid, szOID_PKIX_KP_EMAIL_PROTECTION) == 0)
+                {
+                    extendedKeyUsage |= EXTENDED_KEY_USAGE_EMAIL_PROTECTION;
+                }
+                if(strcmp(oid, szOID_PKIX_KP_TIMESTAMP_SIGNING) == 0)
+                {
+                    extendedKeyUsage |= EXTENDED_KEY_USAGE_TIME_STAMPING;
+                }
+                if(strcmp(oid, szOID_PKIX_KP_OCSP_SIGNING) == 0)
+                {
+                    extendedKeyUsage |= EXTENDED_KEY_USAGE_OCSP_SIGNING;
+                }
+            }
+        }
+        CertFreeCertificateContext(certContext);
+    }
+    catch(...)
+    {
+        CertFreeCertificateContext(certContext);
+        throw;
+    }
+    return extendedKeyUsage;
+}
+
 SChannel::CertificatePtr
 SChannel::Certificate::create(CERT_SIGNED_CONTENT_INFO* cert)
 {