diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2001-10-21 02:09:15 +0000 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2001-10-21 02:09:15 +0000 |
| commit | f1558bb4243d83781793ed758367bd71d0983a35 (patch) | |
| tree | e1971f6bf6360b9cd2e1fad6ad8f77ed4b916063 /crypto/x509 | |
| parent | 6ca487992bc63d45f9780c6b83eecf025830e34b (diff) | |
Reject certificates with unhandled critical extensions.
Diffstat (limited to 'crypto/x509')
| -rw-r--r-- | crypto/x509/x509_txt.c | 3 | ||||
| -rw-r--r-- | crypto/x509/x509_vfy.c | 11 | ||||
| -rw-r--r-- | crypto/x509/x509_vfy.h | 2 |
3 files changed, 14 insertions, 2 deletions
diff --git a/crypto/x509/x509_txt.c b/crypto/x509/x509_txt.c index bcf38a6c91..4f83db8ba2 100644 --- a/crypto/x509/x509_txt.c +++ b/crypto/x509/x509_txt.c @@ -144,6 +144,9 @@ const char *X509_verify_cert_error_string(long n) case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: return("unable to get CRL issuer certificate"); + case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: + return("unhandled critical extension"); + default: sprintf(buf,"error number %ld",n); return(buf); diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 892b7849fd..3c69bb9e0e 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -384,6 +384,15 @@ static int check_chain_purpose(X509_STORE_CTX *ctx) for (i = 0; i < ctx->last_untrusted; i++) { x = sk_X509_value(ctx->chain, i); + if (!(ctx->flags & X509_V_FLAG_IGNORE_CRITICAL) + && (x->ex_flags & EXFLAG_CRITICAL)) + { + ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION; + ctx->error_depth = i; + ctx->current_cert = x; + ok=cb(0,ctx); + if (!ok) goto end; + } if (!X509_check_purpose(x, ctx->purpose, i)) { if (i) @@ -721,8 +730,6 @@ static int internal_verify(X509_STORE_CTX *ctx) if (!ok) goto end; } - /* CRL CHECK */ - /* The last error (if any) is still in the error value */ ctx->current_cert=xs; ok=(*cb)(1,ctx); diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h index 689062fa30..f0be21f452 100644 --- a/crypto/x509/x509_vfy.h +++ b/crypto/x509/x509_vfy.h @@ -303,6 +303,7 @@ struct x509_store_ctx_st /* X509_STORE_CTX */ #define X509_V_ERR_KEYUSAGE_NO_CERTSIGN 32 #define X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER 33 +#define X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION 34 /* The application is not happy */ #define X509_V_ERR_APPLICATION_VERIFICATION 50 @@ -313,6 +314,7 @@ struct x509_store_ctx_st /* X509_STORE_CTX */ #define X509_V_FLAG_USE_CHECK_TIME 0x2 /* Use check time instead of current time */ #define X509_V_FLAG_CRL_CHECK 0x4 /* Lookup CRLs */ #define X509_V_FLAG_CRL_CHECK_ALL 0x8 /* Lookup CRLs for whole chain */ +#define X509_V_FLAG_IGNORE_CRITICAL 0x10 /* Ignore unhandled critical extensions */ int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type, X509_NAME *name); |