diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2015-08-05 03:21:40 +0100 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2015-10-15 15:36:58 +0100 |
| commit | f51e5ed6b4b91d12228da873db72aa28109d1797 (patch) | |
| tree | 803cbbf3ba2d943f902ecb773f6007ad39fd9847 | |
| parent | 34a42e1489bf4f45bfad069eceba56315d4713be (diff) | |
Fix self signed handling.
Don't mark a certificate as self signed if keyUsage is present and
certificate signing not asserted.
PR#3979
Reviewed-by: Matt Caswell <matt@openssl.org>
| -rw-r--r-- | crypto/x509v3/v3_purp.c | 19 |
1 files changed, 10 insertions, 9 deletions
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c index 43f355100b..90b3abcff7 100644 --- a/crypto/x509v3/v3_purp.c +++ b/crypto/x509v3/v3_purp.c @@ -380,6 +380,14 @@ static void setup_crldp(X509 *x) setup_dp(x, sk_DIST_POINT_value(x->crldp, i)); } +#define V1_ROOT (EXFLAG_V1|EXFLAG_SS) +#define ku_reject(x, usage) \ + (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage))) +#define xku_reject(x, usage) \ + (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage))) +#define ns_reject(x, usage) \ + (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage))) + static void x509v3_cache_extensions(X509 *x) { BASIC_CONSTRAINTS *bs; @@ -497,7 +505,8 @@ static void x509v3_cache_extensions(X509 *x) if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) { x->ex_flags |= EXFLAG_SI; /* If SKID matches AKID also indicate self signed */ - if (X509_check_akid(x, x->akid) == X509_V_OK) + if (X509_check_akid(x, x->akid) == X509_V_OK && + !ku_reject(x, KU_KEY_CERT_SIGN)) x->ex_flags |= EXFLAG_SS; } x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL); @@ -536,14 +545,6 @@ static void x509v3_cache_extensions(X509 *x) * 4 basicConstraints absent but keyUsage present and keyCertSign asserted. */ -#define V1_ROOT (EXFLAG_V1|EXFLAG_SS) -#define ku_reject(x, usage) \ - (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage))) -#define xku_reject(x, usage) \ - (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage))) -#define ns_reject(x, usage) \ - (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage))) - static int check_ca(const X509 *x) { /* keyUsage if present should allow cert signing */ |