x->ex_flags |= EXFLAG_INVALID;
}
- /* Handle basic key usage */
+ /* Handle (basic) key usage */
if ((usage = X509_get_ext_d2i(x, NID_key_usage, &i, NULL)) != NULL) {
x->ex_kusage = 0;
if (usage->length > 0) {
x->ex_flags |= EXFLAG_FRESHEST;
if (!X509_EXTENSION_get_critical(ex))
continue;
+ if (OBJ_obj2nid(X509_EXTENSION_get_object(ex)) == NID_basic_constraints)
+ x->ex_flags |= EXFLAG_BCONS_CRITICAL;
if (!X509_supported_extension(ex)) {
x->ex_flags |= EXFLAG_CRITICAL;
break;
return "Missing Subject Key Identifier";
case X509_V_ERR_EMPTY_SUBJECT_ALT_NAME:
return "Empty Subject Alternative Name extension";
+ case X509_V_ERR_CA_BCONS_NOT_CRITICAL:
+ return "Basic Constraints of CA cert not marked critical";
default:
/* Printing an error number into a static buffer is not thread-safe */
if ((x->ex_kusage & KU_KEY_CERT_SIGN) == 0)
ctx->error = X509_V_ERR_PATHLEN_WITHOUT_KU_KEY_CERT_SIGN;
}
- /* TODO check basic constrains of CA cert are marked critical */
+ /*
+ * Check Basic Constraints of CA cert are marked critical,
+ * TODO should be only if cert is intended for verifying other certs
+ */
+ if ((x->ex_flags & EXFLAG_CA) != 0
+ && (x->ex_flags & EXFLAG_BCONS) != 0
+ && (x->ex_flags & EXFLAG_BCONS_CRITICAL) == 0)
+ ctx->error = X509_V_ERR_CA_BCONS_NOT_CRITICAL;
/* Check keyCertSign according to RFC 5280 section 4.2.1.3 */
if ((x->ex_flags & EXFLAG_CA) == 0
&& (x->ex_kusage & KU_KEY_CERT_SIGN) != 0)
# define X509_V_ERR_MISSING_AUTHORITY_KEY_IDENTIFIER 85
# define X509_V_ERR_MISSING_SUBJECT_KEY_IDENTIFIER 86
# define X509_V_ERR_EMPTY_SUBJECT_ALT_NAME 87
+# define X509_V_ERR_CA_BCONS_NOT_CRITICAL 88
/* Certificate verify flags */
-
# ifndef OPENSSL_NO_DEPRECATED_1_1_0
# define X509_V_FLAG_CB_ISSUER_CHECK 0x0 /* Deprecated */
# endif
# define EXFLAG_NSCERT 0x8
# define EXFLAG_CA 0x10
-/* Really self issued not necessarily self signed */
-# define EXFLAG_SI 0x20
+# define EXFLAG_SI 0x20 /* self-issued, maybe not self-signed */
# define EXFLAG_V1 0x40
# define EXFLAG_INVALID 0x80
/* EXFLAG_SET is set to indicate that some values have been precomputed */
# define EXFLAG_INVALID_POLICY 0x800
# define EXFLAG_FRESHEST 0x1000
-/* Self signed */
-# define EXFLAG_SS 0x2000
+# define EXFLAG_SS 0x2000 /* cert is apparently self-signed */
+
+# define EXFLAG_BCONS_CRITICAL 0x10000
# define KU_DIGITAL_SIGNATURE 0x0080
# define KU_NON_REPUDIATION 0x0040