diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2004-03-05 17:16:06 +0000 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2004-03-05 17:16:06 +0000 |
| commit | 01fc051e8ab8c73ae54b74184222fd2a5908f9e4 (patch) | |
| tree | f537c5768025969f8c65411317d9cab46c30b8d2 /crypto/x509v3 | |
| parent | ae43f344af259ffab7cb5c82bb50620c1f96a0a2 (diff) | |
Various X509 fixes. Disable broken certificate workarounds
when X509_V_FLAG_X509_STRICT is set. Check for CRLSign in
CRL issuer certificates. Reject CRLs with unhandled (any)
critical extensions.
Diffstat (limited to 'crypto/x509v3')
| -rw-r--r-- | crypto/x509v3/v3_purp.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c index 4d145f71fd..b3d1ae5d1c 100644 --- a/crypto/x509v3/v3_purp.c +++ b/crypto/x509v3/v3_purp.c @@ -3,7 +3,7 @@ * project 2001. */ /* ==================================================================== - * Copyright (c) 1999-2001 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -415,6 +415,7 @@ static void x509v3_cache_extensions(X509 *x) * 1 is a CA * 2 basicConstraints absent so "maybe" a CA * 3 basicConstraints absent but self signed V1. + * 4 basicConstraints absent but keyUsage present and keyCertSign asserted. */ #define V1_ROOT (EXFLAG_V1|EXFLAG_SS) @@ -436,7 +437,7 @@ static int ca_check(const X509 *x) } else { if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3; /* If key usage present it must have certSign so tolerate it */ - else if (x->ex_flags & EXFLAG_KUSAGE) return 3; + else if (x->ex_flags & EXFLAG_KUSAGE) return 4; else return 2; } } |