projects / openssl.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
check_chain_extensions(): Add check that CA cert includes key usage extension
[openssl.git] / crypto / x509 / x509_vfy.c
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 966733dbb70117d7a6e8180a5b05b4f377baa422..e8ca44a9034bab3dcf796fcfd14e71905519a9d5 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -536,10 +536,14 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
                     && (x->ex_flags & EXFLAG_BCONS) != 0
                     && (x->ex_flags & EXFLAG_BCONS_CRITICAL) == 0)
                 ctx->error = X509_V_ERR_CA_BCONS_NOT_CRITICAL;
-            /* Check keyCertSign according to RFC 5280 section 4.2.1.3 */
-            if ((x->ex_flags & EXFLAG_CA) == 0
-                    && (x->ex_kusage & KU_KEY_CERT_SIGN) != 0)
-                ctx->error = X509_V_ERR_KU_KEY_CERT_SIGN_INVALID_FOR_NON_CA;
+            /* Check key usages according to RFC 5280 section 4.2.1.3 */
+            if ((x->ex_flags & EXFLAG_CA) != 0) {
+                if ((x->ex_flags & EXFLAG_KUSAGE) == 0)
+                    ctx->error = X509_V_ERR_CA_CERT_MISSING_KEY_USAGE;
+            } else {
+                if ((x->ex_kusage & KU_KEY_CERT_SIGN) != 0)
+                    ctx->error = X509_V_ERR_KU_KEY_CERT_SIGN_INVALID_FOR_NON_CA;
+            }
             /* Check issuer is non-empty acc. to RFC 5280 section 4.1.2.4 */
             if (X509_NAME_entry_count(X509_get_issuer_name(x)) == 0)
                 ctx->error = X509_V_ERR_ISSUER_NAME_EMPTY;
Unnamed repository; edit this file 'description' to name the repository.