From 89f13ca4342be5b541b0885e3058617e5cce0de8 Mon Sep 17 00:00:00 2001
From: "Dr. David von Oheimb" <David.von.Oheimb@siemens.com>
Date: Tue, 25 Aug 2020 16:13:40 +0200
Subject: check_chain_extensions(): Add check that AKID and SKID are not marked
 critical

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12478)
---
 include/openssl/x509_vfy.h | 2 ++
 include/openssl/x509v3.h   | 2 ++
 2 files changed, 4 insertions(+)

(limited to 'include')

diff --git a/include/openssl/x509_vfy.h b/include/openssl/x509_vfy.h
index e00d51e06f..c568b0541c 100644
--- a/include/openssl/x509_vfy.h
+++ b/include/openssl/x509_vfy.h
@@ -229,6 +229,8 @@ X509_LOOKUP_ctrl_with_libctx((x), X509_L_ADD_STORE, (name), 0, NULL,           \
 # define X509_V_ERR_MISSING_SUBJECT_KEY_IDENTIFIER       86
 # define X509_V_ERR_EMPTY_SUBJECT_ALT_NAME               87
 # define X509_V_ERR_CA_BCONS_NOT_CRITICAL                88
+# define X509_V_ERR_AUTHORITY_KEY_IDENTIFIER_CRITICAL    89
+# define X509_V_ERR_SUBJECT_KEY_IDENTIFIER_CRITICAL      90
 
 /* Certificate verify flags */
 # ifndef OPENSSL_NO_DEPRECATED_1_1_0
diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h
index 4faca1a2ee..93f9347ac8 100644
--- a/include/openssl/x509v3.h
+++ b/include/openssl/x509v3.h
@@ -377,6 +377,8 @@ struct ISSUING_DIST_POINT_st {
 # define EXFLAG_SS               0x2000 /* cert is apparently self-signed */
 
 # define EXFLAG_BCONS_CRITICAL   0x10000
+# define EXFLAG_AKID_CRITICAL    0x20000
+# define EXFLAG_SKID_CRITICAL    0x40000
 
 # define KU_DIGITAL_SIGNATURE    0x0080
 # define KU_NON_REPUDIATION      0x0040
-- 
cgit v1.2.3