From ecc20b75f885736d3a599d1590fca81bab893a52 Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Wed, 18 Jun 2008 14:42:27 +0000
Subject: [PATCH] Fix typo and filter on X509_PURPOSE_SSL_CLIENT when
 presenting certs.

---
 engines/e_capi.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/engines/e_capi.c b/engines/e_capi.c
index 568b8d3632..c2e5e64458 100644
--- a/engines/e_capi.c
+++ b/engines/e_capi.c
@@ -70,6 +70,7 @@
 
 #include <openssl/engine.h>
 #include <openssl/pem.h>
+#include <openssl/x509v3.h>
 
 #include "e_capi_err.h"
 #include "e_capi_err.c"
@@ -1367,7 +1368,6 @@ static CAPI_KEY *capi_get_key(CAPI_CTX *ctx, const char *contname, char *provnam
 	{
 	CAPI_KEY *key;
 	key = OPENSSL_malloc(sizeof(CAPI_KEY));
-						contname, provname, ptype);
 	CAPI_trace(ctx, "capi_get_key, contname=%s, provname=%s, type=%d\n", 
 						contname, provname, ptype);
 	if (!CryptAcquireContext(&key->hprov, contname, provname, ptype, 0))
@@ -1587,11 +1587,15 @@ static int capi_load_ssl_client_cert(ENGINE *e, SSL *ssl,
 			CAPI_trace(ctx, "Can't Parse Certificate %d\n", i);
 			continue;
 			}
-		if (cert_issuer_match(ca_dn, x))
+		if (cert_issuer_match(ca_dn, x)
+			&& X509_check_purpose(x, X509_PURPOSE_SSL_CLIENT, 0))
 			{
 			key = capi_get_cert_key(ctx, cert);
 			if (!key)
+				{
+				X509_free(x);
 				continue;
+				}
 			/* Match found: attach extra data to it so
 			 * we can retrieve the key later.
 			 */
-- 
2.25.1