projects / openssl.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Extension checking fixes.
[openssl.git] / crypto / x509v3 / v3_purp.c
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index 9b19b362b9b0b5e40ce70dd16c0089d1a3356117..5f931db3b98138b65cd2b366269598f42f45d528 100644 (file)
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -87,7 +87,7 @@ static X509_PURPOSE xstandard[] = {
        {X509_PURPOSE_SMIME_ENCRYPT, X509_TRUST_EMAIL, 0, check_purpose_smime_encrypt, "S/MIME encryption", "smimeencrypt", NULL},
        {X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, 0, check_purpose_crl_sign, "CRL signing", "crlsign", NULL},
        {X509_PURPOSE_ANY, X509_TRUST_DEFAULT, 0, no_check, "Any Purpose", "any", NULL},
-       {X509_PURPOSE_OCSP_HELPER, X509_TRUST_OCSP_SIGN, 0, ocsp_helper, "OCSP helper", "ocsphelper", NULL},
+       {X509_PURPOSE_OCSP_HELPER, X509_TRUST_COMPAT, 0, ocsp_helper, "OCSP helper", "ocsphelper", NULL},
        {X509_PURPOSE_TIMESTAMP_SIGN, X509_TRUST_TSA, 0, check_purpose_timestamp_sign, "Time Stamp signing", "timestampsign", NULL},
 };
 
@@ -386,8 +386,8 @@ static void x509v3_cache_extensions(X509 *x)
        /* Handle proxy certificates */
        if((pci=X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {
                if (x->ex_flags & EXFLAG_CA
-                   || X509_get_ext_by_NID(x, NID_subject_alt_name, 0) >= 0
-                   || X509_get_ext_by_NID(x, NID_issuer_alt_name, 0) >= 0) {
+                   || X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0
+                   || X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) {
                        x->ex_flags |= EXFLAG_INVALID;
                }
                if (pci->pcPathLengthConstraint) {
@@ -684,7 +684,7 @@ static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,
                return 0;
 
        /* Extended Key Usage MUST be critical */
-       i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, 0);
+       i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, -1);
        if (i_ext >= 0)
                {
                X509_EXTENSION *ext = X509_get_ext((X509 *) x, i_ext);
Unnamed repository; edit this file 'description' to name the repository.