Disallow certs with explicit curve in verification chain

The check is applied only with X509_V_FLAG_X509_STRICT. Fixes #12139 Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/12909)
author: Tomas Mraz <tmraz@fedoraproject.org> 2020-09-11 09:09:29 +0200
committer: Tomas Mraz <tmraz@fedoraproject.org> 2020-09-21 10:32:59 +0200
commit: fdcddd9357fcda1f0507fda0307d94e8244f2b51 (patch)
tree: ab06a7e366ae8509d901ac1497df3d29158b5d13 /crypto/x509/x509_txt.c
parent: 398c8da5c8c3cf3369ac7e8883823e0c94735ca7 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/crypto/x509/x509_txt.c b/crypto/x509/x509_txt.c
index 4755b39eb4..c22aab9756 100644
--- a/crypto/x509/x509_txt.c
+++ b/crypto/x509/x509_txt.c
@@ -174,6 +174,8 @@ const char *X509_verify_cert_error_string(long n)
         return "OCSP verification failed";
     case X509_V_ERR_OCSP_CERT_UNKNOWN:
         return "OCSP unknown cert";
+    case X509_V_ERR_EC_KEY_EXPLICIT_PARAMS:
+        return "Certificate public key has explicit ECC parameters";
 
     default:
         /* Printing an error number into a static buffer is not thread-safe */
author	Tomas Mraz <tmraz@fedoraproject.org>	2020-09-11 09:09:29 +0200
committer	Tomas Mraz <tmraz@fedoraproject.org>	2020-09-21 10:32:59 +0200
commit	fdcddd9357fcda1f0507fda0307d94e8244f2b51 (patch)
tree	ab06a7e366ae8509d901ac1497df3d29158b5d13 /crypto/x509/x509_txt.c
parent	398c8da5c8c3cf3369ac7e8883823e0c94735ca7 (diff)