return "Subject Key Identifier marked critical";
case X509_V_ERR_CA_CERT_MISSING_KEY_USAGE:
return "CA cert does not include key usage extension";
+ case X509_V_ERR_EXTENSIONS_REQUIRE_VERSION_3:
+ return "Using cert extension requires at least X509v3";
default:
/* Printing an error number into a static buffer is not thread-safe */
#include "x509_local.h"
DEFINE_STACK_OF(X509)
+DEFINE_STACK_OF(X509_EXTENSION)
DEFINE_STACK_OF(X509_REVOKED)
DEFINE_STACK_OF(GENERAL_NAME)
DEFINE_STACK_OF(X509_CRL)
/* Check SKID presence acc. to RFC 5280 section 4.2.1.2 */
if ((x->ex_flags & EXFLAG_CA) != 0 && x->skid == NULL)
ctx->error = X509_V_ERR_MISSING_SUBJECT_KEY_IDENTIFIER;
+ } else {
+ if (sk_X509_EXTENSION_num(X509_get0_extensions(x)) > 0)
+ ctx->error = X509_V_ERR_EXTENSIONS_REQUIRE_VERSION_3;
}
}
if (ctx->error != X509_V_OK)
# define X509_V_ERR_AUTHORITY_KEY_IDENTIFIER_CRITICAL 90
# define X509_V_ERR_SUBJECT_KEY_IDENTIFIER_CRITICAL 91
# define X509_V_ERR_CA_CERT_MISSING_KEY_USAGE 92
+# define X509_V_ERR_EXTENSIONS_REQUIRE_VERSION_3 93
/* Certificate verify flags */
# ifndef OPENSSL_NO_DEPRECATED_1_1_0