diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2001-10-21 02:09:15 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2001-10-21 02:09:15 +0000 |
commit | f1558bb4243d83781793ed758367bd71d0983a35 (patch) | |
tree | e1971f6bf6360b9cd2e1fad6ad8f77ed4b916063 /crypto/x509v3 | |
parent | 6ca487992bc63d45f9780c6b83eecf025830e34b (diff) |
Reject certificates with unhandled critical extensions.
Diffstat (limited to 'crypto/x509v3')
-rw-r--r-- | crypto/x509v3/v3_purp.c | 54 | ||||
-rw-r--r-- | crypto/x509v3/x509v3.h | 2 |
2 files changed, 54 insertions, 2 deletions
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c index ad55016236..b739e4fd83 100644 --- a/crypto/x509v3/v3_purp.c +++ b/crypto/x509v3/v3_purp.c @@ -1,9 +1,9 @@ /* v3_purp.c */ /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL - * project 1999. + * project 2001. */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2001 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -266,12 +266,51 @@ int X509_PURPOSE_get_trust(X509_PURPOSE *xp) return xp->trust; } +static int nid_cmp(int *a, int *b) + { + return *a - *b; + } + +int X509_supported_extension(X509_EXTENSION *ex) + { + /* This table is a list of the NIDs of supported extensions: + * that is those which are used by the verify process. If + * an extension is critical and doesn't appear in this list + * then the verify process will normally reject the certificate. + * The list must be kept in numerical order because it will be + * searched using bsearch. + */ + + static int supported_nids[] = { + NID_netscape_cert_type, /* 71 */ + NID_key_usage, /* 83 */ + NID_subject_alt_name, /* 85 */ + NID_basic_constraints, /* 87 */ + NID_ext_key_usage /* 126 */ + }; + + int ex_nid; + + ex_nid = OBJ_obj2nid(X509_EXTENSION_get_object(ex)); + + if (ex_nid == NID_undef) + return 0; + + if (OBJ_bsearch((char *)&ex_nid, (char *)supported_nids, + sizeof(supported_nids)/sizeof(int), sizeof(int), + (int (*)(const void *, const void *))nid_cmp)) + return 1; + return 0; + } + + static void x509v3_cache_extensions(X509 *x) { BASIC_CONSTRAINTS *bs; ASN1_BIT_STRING *usage; ASN1_BIT_STRING *ns; EXTENDED_KEY_USAGE *extusage; + X509_EXTENSION *ex; int i; if(x->ex_flags & EXFLAG_SET) return; @@ -352,6 +391,17 @@ static void x509v3_cache_extensions(X509 *x) } x->skid =X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL); x->akid =X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL); + for (i = 0; i < X509_get_ext_count(x); i++) + { + ex = X509_get_ext(x, i); + if (!X509_EXTENSION_get_critical(ex)) + continue; + if (!X509_supported_extension(ex)) + { + x->ex_flags |= EXFLAG_CRITICAL; + break; + } + } x->ex_flags |= EXFLAG_SET; } diff --git a/crypto/x509v3/x509v3.h b/crypto/x509v3/x509v3.h index 096dc56b68..d1c9828f78 100644 --- a/crypto/x509v3/x509v3.h +++ b/crypto/x509v3/x509v3.h @@ -324,6 +324,7 @@ DECLARE_ASN1_SET_OF(POLICYINFO) #define EXFLAG_V1 0x40 #define EXFLAG_INVALID 0x80 #define EXFLAG_SET 0x100 +#define EXFLAG_CRITICAL 0x200 #define KU_DIGITAL_SIGNATURE 0x0080 #define KU_NON_REPUDIATION 0x0040 @@ -528,6 +529,7 @@ int X509V3_EXT_print_fp(FILE *out, X509_EXTENSION *ext, int flag, int indent); int X509V3_extensions_print(BIO *out, char *title, STACK_OF(X509_EXTENSION) *exts, unsigned long flag, int indent); int X509_check_purpose(X509 *x, int id, int ca); +int X509_supported_extension(X509_EXTENSION *ex); int X509_PURPOSE_set(int *p, int purpose); int X509_check_issued(X509 *issuer, X509 *subject); int X509_PURPOSE_get_count(void); |