summaryrefslogtreecommitdiffstats
path: root/crypto/x509
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/x509')
-rw-r--r--crypto/x509/x509_txt.c2
-rw-r--r--crypto/x509/x509_vfy.c4
2 files changed, 6 insertions, 0 deletions
diff --git a/crypto/x509/x509_txt.c b/crypto/x509/x509_txt.c
index 9cb6c8b739..53b19e46df 100644
--- a/crypto/x509/x509_txt.c
+++ b/crypto/x509/x509_txt.c
@@ -208,6 +208,8 @@ const char *X509_verify_cert_error_string(long n)
return "Subject Key Identifier marked critical";
case X509_V_ERR_CA_CERT_MISSING_KEY_USAGE:
return "CA cert does not include key usage extension";
+ case X509_V_ERR_EXTENSIONS_REQUIRE_VERSION_3:
+ return "Using cert extension requires at least X509v3";
default:
/* Printing an error number into a static buffer is not thread-safe */
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 83dae9a79b..4a067e5ff4 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -26,6 +26,7 @@
#include "x509_local.h"
DEFINE_STACK_OF(X509)
+DEFINE_STACK_OF(X509_EXTENSION)
DEFINE_STACK_OF(X509_REVOKED)
DEFINE_STACK_OF(GENERAL_NAME)
DEFINE_STACK_OF(X509_CRL)
@@ -585,6 +586,9 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
/* Check SKID presence acc. to RFC 5280 section 4.2.1.2 */
if ((x->ex_flags & EXFLAG_CA) != 0 && x->skid == NULL)
ctx->error = X509_V_ERR_MISSING_SUBJECT_KEY_IDENTIFIER;
+ } else {
+ if (sk_X509_EXTENSION_num(X509_get0_extensions(x)) > 0)
+ ctx->error = X509_V_ERR_EXTENSIONS_REQUIRE_VERSION_3;
}
}
if (ctx->error != X509_V_OK)
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-16 05:35:32 +0000