Reading the NID_key_usage extension doesn't ensure that the ex_flags and
ex_kusage fields that the ku_reject() macro checks.  It'd probably be
better to check the usage string directly, but calling X509_check_ca()
makes the right things happen.  RT#6775, part of #629022.

Index: src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
===================================================================
--- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c	(revision 24312)
+++ src/plugins/preauth/pkinit/pkinit_crypto_openssl.c	(revision 24313)
@@ -2005,6 +2005,7 @@
             pkiDebug("%s: found acceptable EKU, checking for digitalSignature\n", __FUNCTION__);
 
             /* check that digitalSignature KeyUsage is present */
+            X509_check_ca(reqctx->received_cert);
             if ((usage = X509_get_ext_d2i(reqctx->received_cert,
                                           NID_key_usage, NULL, NULL))) {
 
@@ -4551,6 +4552,7 @@
     }
 
     /* Make sure usage exists before checking bits */
+    X509_check_ca(x);
     usage = X509_get_ext_d2i(x, NID_key_usage, NULL, NULL);
     if (usage) {
         if (!ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE))