diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2001-02-01 01:57:32 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2001-02-01 01:57:32 +0000 |
commit | 8cff6331c944398cc7889e586116c11e89f89147 (patch) | |
tree | e0ee2c0a2d5a943f4e2d740f766b2b9e53234265 /crypto/x509v3 | |
parent | cd6aa710b5f4df1959b9bb3f78928619502b39af (diff) |
Tolerate some "variations" used in some
certificates.
One is a valid CA which has no basicConstraints
but does have certSign keyUsage.
Other is S/MIME signer with nonRepudiation but
no digitalSignature.
Diffstat (limited to 'crypto/x509v3')
-rw-r--r-- | crypto/x509v3/v3_purp.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c index 9d67bd92d5..9fa0e50ef0 100644 --- a/crypto/x509v3/v3_purp.c +++ b/crypto/x509v3/v3_purp.c @@ -371,6 +371,8 @@ static int ca_check(const X509 *x) else return 0; } else { if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3; + /* If key usage present it must have certSign so tolerate it */ + else if (x->ex_flags & EXFLAG_KUSAGE) return 3; else return 2; } } @@ -389,7 +391,7 @@ static int check_ssl_ca(const X509 *x) if(ca_ret != 2) return ca_ret; else return 0; } - + static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca) { @@ -455,7 +457,7 @@ static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int c int ret; ret = purpose_smime(x, ca); if(!ret || ca) return ret; - if(ku_reject(x, KU_DIGITAL_SIGNATURE)) return 0; + if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_NON_REPUDIATION)) return 0; return ret; } |