return "Authority Key Identifier marked critical";
case X509_V_ERR_SUBJECT_KEY_IDENTIFIER_CRITICAL:
return "Subject Key Identifier marked critical";
+ case X509_V_ERR_CA_CERT_MISSING_KEY_USAGE:
+ return "CA cert does not include key usage extension";
default:
/* Printing an error number into a static buffer is not thread-safe */
&& (x->ex_flags & EXFLAG_BCONS) != 0
&& (x->ex_flags & EXFLAG_BCONS_CRITICAL) == 0)
ctx->error = X509_V_ERR_CA_BCONS_NOT_CRITICAL;
- /* Check keyCertSign according to RFC 5280 section 4.2.1.3 */
- if ((x->ex_flags & EXFLAG_CA) == 0
- && (x->ex_kusage & KU_KEY_CERT_SIGN) != 0)
- ctx->error = X509_V_ERR_KU_KEY_CERT_SIGN_INVALID_FOR_NON_CA;
+ /* Check key usages according to RFC 5280 section 4.2.1.3 */
+ if ((x->ex_flags & EXFLAG_CA) != 0) {
+ if ((x->ex_flags & EXFLAG_KUSAGE) == 0)
+ ctx->error = X509_V_ERR_CA_CERT_MISSING_KEY_USAGE;
+ } else {
+ if ((x->ex_kusage & KU_KEY_CERT_SIGN) != 0)
+ ctx->error = X509_V_ERR_KU_KEY_CERT_SIGN_INVALID_FOR_NON_CA;
+ }
/* Check issuer is non-empty acc. to RFC 5280 section 4.1.2.4 */
if (X509_NAME_entry_count(X509_get_issuer_name(x)) == 0)
ctx->error = X509_V_ERR_ISSUER_NAME_EMPTY;
# define X509_V_ERR_CA_BCONS_NOT_CRITICAL 89
# define X509_V_ERR_AUTHORITY_KEY_IDENTIFIER_CRITICAL 90
# define X509_V_ERR_SUBJECT_KEY_IDENTIFIER_CRITICAL 91
+# define X509_V_ERR_CA_CERT_MISSING_KEY_USAGE 92
/* Certificate verify flags */
# ifndef OPENSSL_NO_DEPRECATED_1_1_0