Tolerate some "variations" used in some

certificates. One is a valid CA which has no basicConstraints but does have certSign keyUsage. Other is S/MIME signer with nonRepudiation but no digitalSignature.
author: Dr. Stephen Henson <steve@openssl.org> 2001-02-01 02:03:58 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2001-02-01 02:03:58 +0000
commit: 2e1d669cba1e629edac88cac766297c5c147aaac (patch)
tree: 200c6fe91e4456e7e2441a772950d79780027f36 /crypto/x509v3/v3_purp.c
parent: 819d5cef08e2d41abc3c814852ce2ab443e75245 (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index 867699b26f..8aecd00e63 100644
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -362,6 +362,8 @@ static int ca_check(const X509 *x)
 		else return 0;
 	} else {
 		if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3;
+		/* If key usage present it must have certSign so tolerate it */
+		else if (x->ex_flags & EXFLAG_KUSAGE) return 3;
 		else return 2;
 	}
 }
@@ -380,7 +382,7 @@ static int check_ssl_ca(const X509 *x)
 	if(ca_ret != 2) return ca_ret;
 	else return 0;
 }
-	
+
 
 static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca)
 {
@@ -446,7 +448,7 @@ static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int c
 	int ret;
 	ret = purpose_smime(x, ca);
 	if(!ret || ca) return ret;
-	if(ku_reject(x, KU_DIGITAL_SIGNATURE)) return 0;
+	if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_NON_REPUDIATION)) return 0;
 	return ret;
 }
author	Dr. Stephen Henson <steve@openssl.org>	2001-02-01 02:03:58 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2001-02-01 02:03:58 +0000
commit	2e1d669cba1e629edac88cac766297c5c147aaac (patch)
tree	200c6fe91e4456e7e2441a772950d79780027f36 /crypto/x509v3/v3_purp.c
parent	819d5cef08e2d41abc3c814852ce2ab443e75245 (diff)