summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--CHANGES4
-rw-r--r--crypto/x509v3/v3_purp.c6
2 files changed, 8 insertions, 2 deletions
diff --git a/CHANGES b/CHANGES
index d88fe9ffd8..a19f241bb4 100644
--- a/CHANGES
+++ b/CHANGES
@@ -3,6 +3,10 @@
Changes between 0.9.6 and 0.9.7 [xx XXX 2000]
+ *) Tolerate nonRepudiation as being valid for S/MIME signing and certSign
+ keyUsage if basicConstraints absent for a CA.
+ [Steve Henson]
+
*) Make SMIME_write_PKCS7() write mail header values with a format that
is more generally accepted (no spaces before the semicolon), since
some programs can't parse those values properly otherwise. Also make
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index 9d67bd92d5..9fa0e50ef0 100644
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -371,6 +371,8 @@ static int ca_check(const X509 *x)
else return 0;
} else {
if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3;
+ /* If key usage present it must have certSign so tolerate it */
+ else if (x->ex_flags & EXFLAG_KUSAGE) return 3;
else return 2;
}
}
@@ -389,7 +391,7 @@ static int check_ssl_ca(const X509 *x)
if(ca_ret != 2) return ca_ret;
else return 0;
}
-
+
static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca)
{
@@ -455,7 +457,7 @@ static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int c
int ret;
ret = purpose_smime(x, ca);
if(!ret || ca) return ret;
- if(ku_reject(x, KU_DIGITAL_SIGNATURE)) return 0;
+ if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_NON_REPUDIATION)) return 0;
return ret;
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-09 04:47:57 +0000