projects / openssl.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Added restrictions on the use of proxy certificates, as they may pose
[openssl.git] / crypto / x509v3 / v3_purp.c
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index 9f992c9087598a7125b140252baa7714106e6417..1222c3ce5b13ac6f11dc3060f01a528b6235c3ec 100644 (file)
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -338,7 +338,9 @@ static void x509v3_cache_extensions(X509 *x)
        }
        /* Handle proxy certificates */
        if((pci=X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {
-               if (x->ex_flags & EXFLAG_CA) {
+               if (x->ex_flags & EXFLAG_CA
+                   || X509_get_ext_by_NID(x, NID_subject_alt_name, 0) >= 0
+                   || X509_get_ext_by_NID(x, NID_issuer_alt_name, 0) >= 0) {
                        x->ex_flags |= EXFLAG_INVALID;
                }
                if (pci->pcPathLengthConstraint) {
Unnamed repository; edit this file 'description' to name the repository.