diff options
| author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-01-28 03:01:45 -0500 |
|---|---|---|
| committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-01-31 21:23:23 -0500 |
| commit | 0daccd4dc1f1ac62181738a91714f35472e50f3c (patch) | |
| tree | 5b7c2b6c5db0c2caf223ea978db03559b5eb90f8 /crypto/x509/x509_trs.c | |
| parent | 1b4cf96f9b82ec3b06e7902bb21620a09cadd94e (diff) | |
Check chain extensions also for trusted certificates
This includes basic constraints, key usages, issuer EKUs and auxiliary
trust OIDs (given a trust suitably related to the intended purpose).
Added tests and updated documentation.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Diffstat (limited to 'crypto/x509/x509_trs.c')
| -rw-r--r-- | crypto/x509/x509_trs.c | 19 |
1 files changed, 11 insertions, 8 deletions
diff --git a/crypto/x509/x509_trs.c b/crypto/x509/x509_trs.c index 7392c55953..c81c725ea1 100644 --- a/crypto/x509/x509_trs.c +++ b/crypto/x509/x509_trs.c @@ -276,7 +276,7 @@ static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags) static int trust_1oid(X509_TRUST *trust, X509 *x, int flags) { - if (x->aux) + if (x->aux && (x->aux->trust || x->aux->reject)) return obj_trust(trust->arg1, x, flags); return X509_TRUST_UNTRUSTED; } @@ -293,23 +293,26 @@ static int trust_compat(X509_TRUST *trust, X509 *x, int flags) static int obj_trust(int id, X509 *x, int flags) { - ASN1_OBJECT *obj; + X509_CERT_AUX *ax = x->aux; int i; - X509_CERT_AUX *ax; - ax = x->aux; + if (!ax) return X509_TRUST_UNTRUSTED; if (ax->reject) { for (i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) { - obj = sk_ASN1_OBJECT_value(ax->reject, i); - if (OBJ_obj2nid(obj) == id) + ASN1_OBJECT *obj = sk_ASN1_OBJECT_value(ax->reject, i); + int nid = OBJ_obj2nid(obj); + + if (nid == id || nid == NID_anyExtendedKeyUsage) return X509_TRUST_REJECTED; } } if (ax->trust) { for (i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) { - obj = sk_ASN1_OBJECT_value(ax->trust, i); - if (OBJ_obj2nid(obj) == id) + ASN1_OBJECT *obj = sk_ASN1_OBJECT_value(ax->trust, i); + int nid = OBJ_obj2nid(obj); + + if (nid == id || nid == NID_anyExtendedKeyUsage) return X509_TRUST_TRUSTED; } /* |