Added restrictions on the use of proxy certificates, as they may pose

a security threat on unexpecting applications. Document and test.
author: Richard Levitte <levitte@openssl.org> 2005-04-09 16:07:12 +0000
committer: Richard Levitte <levitte@openssl.org> 2005-04-09 16:07:12 +0000
commit: d9bfe4f97cd4244beb0598cc348d68b04dac7068 (patch)
tree: 1577815b1c870c4541cb56ce12c7713e12889791 /crypto/x509v3/v3_purp.c
parent: dc0ed30cfeb37d64fc2bd26887b19e0898a96bde (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index 9f992c9087..1222c3ce5b 100644
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -338,7 +338,9 @@ static void x509v3_cache_extensions(X509 *x)
 	}
 	/* Handle proxy certificates */
 	if((pci=X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {
-		if (x->ex_flags & EXFLAG_CA) {
+		if (x->ex_flags & EXFLAG_CA
+		    || X509_get_ext_by_NID(x, NID_subject_alt_name, 0) >= 0
+		    || X509_get_ext_by_NID(x, NID_issuer_alt_name, 0) >= 0) {
 			x->ex_flags |= EXFLAG_INVALID;
 		}
 		if (pci->pcPathLengthConstraint) {
author	Richard Levitte <levitte@openssl.org>	2005-04-09 16:07:12 +0000
committer	Richard Levitte <levitte@openssl.org>	2005-04-09 16:07:12 +0000
commit	d9bfe4f97cd4244beb0598cc348d68b04dac7068 (patch)
tree	1577815b1c870c4541cb56ce12c7713e12889791 /crypto/x509v3/v3_purp.c
parent	dc0ed30cfeb37d64fc2bd26887b19e0898a96bde (diff)