Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12478)
ASN1_BIT_STRING *usage;
ASN1_BIT_STRING *ns;
EXTENDED_KEY_USAGE *extusage;
ASN1_BIT_STRING *usage;
ASN1_BIT_STRING *ns;
EXTENDED_KEY_USAGE *extusage;
x->ex_flags |= EXFLAG_INVALID;
#endif
for (i = 0; i < X509_get_ext_count(x); i++) {
x->ex_flags |= EXFLAG_INVALID;
#endif
for (i = 0; i < X509_get_ext_count(x); i++) {
- ex = X509_get_ext(x, i);
- if (OBJ_obj2nid(X509_EXTENSION_get_object(ex)) == NID_freshest_crl)
+ X509_EXTENSION *ex = X509_get_ext(x, i);
+ int nid = OBJ_obj2nid(X509_EXTENSION_get_object(ex));
+
+ if (nid == NID_freshest_crl)
x->ex_flags |= EXFLAG_FRESHEST;
if (!X509_EXTENSION_get_critical(ex))
continue;
x->ex_flags |= EXFLAG_FRESHEST;
if (!X509_EXTENSION_get_critical(ex))
continue;
- if (OBJ_obj2nid(X509_EXTENSION_get_object(ex)) == NID_basic_constraints)
- x->ex_flags |= EXFLAG_BCONS_CRITICAL;
if (!X509_supported_extension(ex)) {
x->ex_flags |= EXFLAG_CRITICAL;
break;
}
if (!X509_supported_extension(ex)) {
x->ex_flags |= EXFLAG_CRITICAL;
break;
}
+ switch (nid) {
+ case NID_basic_constraints:
+ x->ex_flags |= EXFLAG_BCONS_CRITICAL;
+ break;
+ case NID_authority_key_identifier:
+ x->ex_flags |= EXFLAG_AKID_CRITICAL;
+ break;
+ case NID_subject_key_identifier:
+ x->ex_flags |= EXFLAG_SKID_CRITICAL;
+ break;
+ default:
+ break;
+ }
}
/* Set x->siginf, ignoring errors due to unsupported algos */
}
/* Set x->siginf, ignoring errors due to unsupported algos */
return "Empty Subject Alternative Name extension";
case X509_V_ERR_CA_BCONS_NOT_CRITICAL:
return "Basic Constraints of CA cert not marked critical";
return "Empty Subject Alternative Name extension";
case X509_V_ERR_CA_BCONS_NOT_CRITICAL:
return "Basic Constraints of CA cert not marked critical";
+ case X509_V_ERR_AUTHORITY_KEY_IDENTIFIER_CRITICAL:
+ return "Authority Key Identifier marked critical";
+ case X509_V_ERR_SUBJECT_KEY_IDENTIFIER_CRITICAL:
+ return "Subject Key Identifier marked critical";
default:
/* Printing an error number into a static buffer is not thread-safe */
default:
/* Printing an error number into a static buffer is not thread-safe */
/* Check sig alg consistency acc. to RFC 5280 section 4.1.1.2 */
if (X509_ALGOR_cmp(&x->sig_alg, &x->cert_info.signature) != 0)
ctx->error = X509_V_ERR_SIGNATURE_ALGORITHM_INCONSISTENCY;
/* Check sig alg consistency acc. to RFC 5280 section 4.1.1.2 */
if (X509_ALGOR_cmp(&x->sig_alg, &x->cert_info.signature) != 0)
ctx->error = X509_V_ERR_SIGNATURE_ALGORITHM_INCONSISTENCY;
+ if (x->akid != NULL && (x->ex_flags & EXFLAG_AKID_CRITICAL) != 0)
+ ctx->error = X509_V_ERR_AUTHORITY_KEY_IDENTIFIER_CRITICAL;
+ if (x->skid != NULL && (x->ex_flags & EXFLAG_SKID_CRITICAL) != 0)
+ ctx->error = X509_V_ERR_SUBJECT_KEY_IDENTIFIER_CRITICAL;
if (X509_get_version(x) >= 2) { /* at least X.509v3 */
/* Check AKID presence acc. to RFC 5280 section 4.2.1.1 */
if (i + 1 < num /*
if (X509_get_version(x) >= 2) { /* at least X.509v3 */
/* Check AKID presence acc. to RFC 5280 section 4.2.1.1 */
if (i + 1 < num /*
*/
&& (x->akid == NULL || x->akid->keyid == NULL))
ctx->error = X509_V_ERR_MISSING_AUTHORITY_KEY_IDENTIFIER;
*/
&& (x->akid == NULL || x->akid->keyid == NULL))
ctx->error = X509_V_ERR_MISSING_AUTHORITY_KEY_IDENTIFIER;
- /* TODO check that AKID extension is not critical */
/* Check SKID presence acc. to RFC 5280 section 4.2.1.2 */
if ((x->ex_flags & EXFLAG_CA) != 0 && x->skid == NULL)
ctx->error = X509_V_ERR_MISSING_SUBJECT_KEY_IDENTIFIER;
/* Check SKID presence acc. to RFC 5280 section 4.2.1.2 */
if ((x->ex_flags & EXFLAG_CA) != 0 && x->skid == NULL)
ctx->error = X509_V_ERR_MISSING_SUBJECT_KEY_IDENTIFIER;
- /* TODO check that SKID extension is not be critical */
}
}
if (ctx->error != X509_V_OK)
}
}
if (ctx->error != X509_V_OK)
# define X509_V_ERR_MISSING_SUBJECT_KEY_IDENTIFIER 86
# define X509_V_ERR_EMPTY_SUBJECT_ALT_NAME 87
# define X509_V_ERR_CA_BCONS_NOT_CRITICAL 88
# define X509_V_ERR_MISSING_SUBJECT_KEY_IDENTIFIER 86
# define X509_V_ERR_EMPTY_SUBJECT_ALT_NAME 87
# define X509_V_ERR_CA_BCONS_NOT_CRITICAL 88
+# define X509_V_ERR_AUTHORITY_KEY_IDENTIFIER_CRITICAL 89
+# define X509_V_ERR_SUBJECT_KEY_IDENTIFIER_CRITICAL 90
/* Certificate verify flags */
# ifndef OPENSSL_NO_DEPRECATED_1_1_0
/* Certificate verify flags */
# ifndef OPENSSL_NO_DEPRECATED_1_1_0
# define EXFLAG_SS 0x2000 /* cert is apparently self-signed */
# define EXFLAG_BCONS_CRITICAL 0x10000
# define EXFLAG_SS 0x2000 /* cert is apparently self-signed */
# define EXFLAG_BCONS_CRITICAL 0x10000
+# define EXFLAG_AKID_CRITICAL 0x20000
+# define EXFLAG_SKID_CRITICAL 0x40000
# define KU_DIGITAL_SIGNATURE 0x0080
# define KU_NON_REPUDIATION 0x0040
# define KU_DIGITAL_SIGNATURE 0x0080
# define KU_NON_REPUDIATION 0x0040