diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2004-03-05 17:16:35 +0000 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2004-03-05 17:16:35 +0000 |
| commit | bc501570109e7837e1de1689de1eec9420e4cf89 (patch) | |
| tree | 6d606d96c898bf7bf25ee9577904d39dd4c86097 /crypto/x509v3 | |
| parent | 91180d45f9d92a089080dfef5363edb74d9b741b (diff) | |
Various X509 fixes. Disable broken certificate workarounds
when X509_V_FLAG_X509_STRICT is set. Check for CRLSign in
CRL issuer certificates. Reject CRLs with unhandled (any)
critical extensions.
Diffstat (limited to 'crypto/x509v3')
| -rw-r--r-- | crypto/x509v3/v3_purp.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c index b1a6d2632a..67596862ab 100644 --- a/crypto/x509v3/v3_purp.c +++ b/crypto/x509v3/v3_purp.c @@ -3,7 +3,7 @@ * project 2001. */ /* ==================================================================== - * Copyright (c) 1999-2001 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -415,6 +415,7 @@ static void x509v3_cache_extensions(X509 *x) * 1 is a CA * 2 basicConstraints absent so "maybe" a CA * 3 basicConstraints absent but self signed V1. + * 4 basicConstraints absent but keyUsage present and keyCertSign asserted. */ #define V1_ROOT (EXFLAG_V1|EXFLAG_SS) @@ -436,7 +437,7 @@ static int ca_check(const X509 *x) } else { if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3; /* If key usage present it must have certSign so tolerate it */ - else if (x->ex_flags & EXFLAG_KUSAGE) return 3; + else if (x->ex_flags & EXFLAG_KUSAGE) return 4; else return 2; } } |