diff options
| author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2019-12-24 11:25:15 +0100 |
|---|---|---|
| committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-07-01 11:14:54 +0200 |
| commit | 0e7b1383e138ce3fa66c5bd0ea4a9cb35487436c (patch) | |
| tree | 9ddb274339a9a7da79ba23c1c85af72e57ef6dc8 /doc/man3 | |
| parent | d18c7ad66aaaebe10c86127d966f5401bc414d2a (diff) | |
Fix issue 1418 by moving check of KU_KEY_CERT_SIGN and weakening check_issued()
Move check that cert signing is allowed from x509v3_cache_extensions() to
where it belongs: internal_verify(), generalize it for proxy cert signing.
Correct and simplify check_issued(), now checking self-issued (not: self-signed).
Add test case to 25-test_verify.t that demonstrates successful fix
Fixes #1418
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10587)
Diffstat (limited to 'doc/man3')
| -rw-r--r-- | doc/man3/X509_STORE_set_verify_cb_func.pod | 4 | ||||
| -rw-r--r-- | doc/man3/X509_check_issued.pod | 6 |
2 files changed, 6 insertions, 4 deletions
diff --git a/doc/man3/X509_STORE_set_verify_cb_func.pod b/doc/man3/X509_STORE_set_verify_cb_func.pod index e845906cc8..84b216ffbe 100644 --- a/doc/man3/X509_STORE_set_verify_cb_func.pod +++ b/doc/man3/X509_STORE_set_verify_cb_func.pod @@ -145,7 +145,9 @@ I<If no function to get the issuer is provided, the internal default function will be used instead.> X509_STORE_set_check_issued() sets the function to check that a given -certificate B<x> is issued with the issuer certificate B<issuer>. +certificate B<x> is issued by the issuer certificate B<issuer> and +the issuer is not yet in the chain contained in <ctx>, where the exceptional +case that B<x> is self-issued and ctx->chain has just one element is allowed. This function must return 0 on failure (among others if B<x> hasn't been issued with B<issuer>) and 1 on success. I<If no function to get the issuer is provided, the internal default diff --git a/doc/man3/X509_check_issued.pod b/doc/man3/X509_check_issued.pod index 0e8ab7deb3..cc98541bba 100644 --- a/doc/man3/X509_check_issued.pod +++ b/doc/man3/X509_check_issued.pod @@ -2,7 +2,7 @@ =head1 NAME -X509_check_issued - checks if certificate is likely issued by another +X509_check_issued - checks if certificate is apparently issued by another certificate =head1 SYNOPSIS @@ -14,8 +14,8 @@ certificate =head1 DESCRIPTION -X509_check_issued() checks if certificate I<subject> was likely issued using CA -certificate I<issuer>. This function takes into account not only +X509_check_issued() checks if certificate I<subject> was apparently issued +using (CA) certificate I<issuer>. This function takes into account not only matching of the issuer field of I<subject> with the subject field of I<issuer>, but also compares all sub-fields of the B<authorityKeyIdentifier> extension of I<subject>, as far as present, with the respective B<subjectKeyIdentifier>, |