From 01711b78ff6ad177243d7aeb0f10b1d92c5eadf8 Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@redhat.com>
Date: Fri, 5 Nov 2010 15:06:39 -0400
Subject: [PATCH] - fix included in 1.9

---
 krb5-trunk-key_usage.patch | 25 -------------------------
 1 file changed, 25 deletions(-)
 delete mode 100644 krb5-trunk-key_usage.patch

diff --git a/krb5-trunk-key_usage.patch b/krb5-trunk-key_usage.patch
deleted file mode 100644
index f45db69..0000000
--- a/krb5-trunk-key_usage.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-Reading the NID_key_usage extension doesn't ensure that the ex_flags and
-ex_kusage fields that the ku_reject() macro checks.  It'd probably be
-better to check the usage string directly, but calling X509_check_ca()
-makes the right things happen.  RT#6775, part of #629022.
-
-Index: src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
-===================================================================
---- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c	(revision 24312)
-+++ src/plugins/preauth/pkinit/pkinit_crypto_openssl.c	(revision 24313)
-@@ -2005,6 +2005,7 @@
-             pkiDebug("%s: found acceptable EKU, checking for digitalSignature\n", __FUNCTION__);
- 
-             /* check that digitalSignature KeyUsage is present */
-+            X509_check_ca(reqctx->received_cert);
-             if ((usage = X509_get_ext_d2i(reqctx->received_cert,
-                                           NID_key_usage, NULL, NULL))) {
- 
-@@ -4551,6 +4552,7 @@
-     }
- 
-     /* Make sure usage exists before checking bits */
-+    X509_check_ca(x);
-     usage = X509_get_ext_d2i(x, NID_key_usage, NULL, NULL);
-     if (usage) {
-         if (!ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE))