diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-08-25 16:58:36 +0200 |
---|---|---|
committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-09-11 07:42:22 +0200 |
commit | bb377c8d6c61920d889b961bd5c862eaac8b28e4 (patch) | |
tree | acc745971af643a01eb8488800a85a0a5eaca659 | |
parent | da6c691d6d417ad413fdc1e7a7a183d005e7fefd (diff) |
check_chain_extensions(): Add check that CA cert includes key usage extension
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12478)
-rw-r--r-- | crypto/x509/x509_txt.c | 2 | ||||
-rw-r--r-- | crypto/x509/x509_vfy.c | 12 | ||||
-rw-r--r-- | include/openssl/x509_vfy.h | 1 |
3 files changed, 11 insertions, 4 deletions
diff --git a/crypto/x509/x509_txt.c b/crypto/x509/x509_txt.c index 85782a2f86..9cb6c8b739 100644 --- a/crypto/x509/x509_txt.c +++ b/crypto/x509/x509_txt.c @@ -206,6 +206,8 @@ const char *X509_verify_cert_error_string(long n) return "Authority Key Identifier marked critical"; case X509_V_ERR_SUBJECT_KEY_IDENTIFIER_CRITICAL: return "Subject Key Identifier marked critical"; + case X509_V_ERR_CA_CERT_MISSING_KEY_USAGE: + return "CA cert does not include key usage extension"; default: /* Printing an error number into a static buffer is not thread-safe */ diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 966733dbb7..e8ca44a903 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -536,10 +536,14 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) && (x->ex_flags & EXFLAG_BCONS) != 0 && (x->ex_flags & EXFLAG_BCONS_CRITICAL) == 0) ctx->error = X509_V_ERR_CA_BCONS_NOT_CRITICAL; - /* Check keyCertSign according to RFC 5280 section 4.2.1.3 */ - if ((x->ex_flags & EXFLAG_CA) == 0 - && (x->ex_kusage & KU_KEY_CERT_SIGN) != 0) - ctx->error = X509_V_ERR_KU_KEY_CERT_SIGN_INVALID_FOR_NON_CA; + /* Check key usages according to RFC 5280 section 4.2.1.3 */ + if ((x->ex_flags & EXFLAG_CA) != 0) { + if ((x->ex_flags & EXFLAG_KUSAGE) == 0) + ctx->error = X509_V_ERR_CA_CERT_MISSING_KEY_USAGE; + } else { + if ((x->ex_kusage & KU_KEY_CERT_SIGN) != 0) + ctx->error = X509_V_ERR_KU_KEY_CERT_SIGN_INVALID_FOR_NON_CA; + } /* Check issuer is non-empty acc. to RFC 5280 section 4.1.2.4 */ if (X509_NAME_entry_count(X509_get_issuer_name(x)) == 0) ctx->error = X509_V_ERR_ISSUER_NAME_EMPTY; diff --git a/include/openssl/x509_vfy.h b/include/openssl/x509_vfy.h index 53dff234ce..50ae14f240 100644 --- a/include/openssl/x509_vfy.h +++ b/include/openssl/x509_vfy.h @@ -232,6 +232,7 @@ X509_LOOKUP_ctrl_with_libctx((x), X509_L_ADD_STORE, (name), 0, NULL, \ # define X509_V_ERR_CA_BCONS_NOT_CRITICAL 89 # define X509_V_ERR_AUTHORITY_KEY_IDENTIFIER_CRITICAL 90 # define X509_V_ERR_SUBJECT_KEY_IDENTIFIER_CRITICAL 91 +# define X509_V_ERR_CA_CERT_MISSING_KEY_USAGE 92 /* Certificate verify flags */ # ifndef OPENSSL_NO_DEPRECATED_1_1_0 |