summaryrefslogtreecommitdiffstats
path: root/crypto/x509/x509_trs.c
diff options
context:
space:
mode:
authorViktor Dukhovni <openssl-users@dukhovni.org>2016-01-28 09:01:45 +0100
committerViktor Dukhovni <openssl-users@dukhovni.org>2016-02-01 03:23:23 +0100
commit0daccd4dc1f1ac62181738a91714f35472e50f3c (patch)
tree5b7c2b6c5db0c2caf223ea978db03559b5eb90f8 /crypto/x509/x509_trs.c
parentZero newly allocated points (diff)
downloadopenssl-0daccd4dc1f1ac62181738a91714f35472e50f3c.tar.xz
openssl-0daccd4dc1f1ac62181738a91714f35472e50f3c.zip
Check chain extensions also for trusted certificates
This includes basic constraints, key usages, issuer EKUs and auxiliary trust OIDs (given a trust suitably related to the intended purpose). Added tests and updated documentation. Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Diffstat (limited to 'crypto/x509/x509_trs.c')
-rw-r--r--crypto/x509/x509_trs.c19
1 files changed, 11 insertions, 8 deletions
diff --git a/crypto/x509/x509_trs.c b/crypto/x509/x509_trs.c
index 7392c55953..c81c725ea1 100644
--- a/crypto/x509/x509_trs.c
+++ b/crypto/x509/x509_trs.c
@@ -276,7 +276,7 @@ static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags)
static int trust_1oid(X509_TRUST *trust, X509 *x, int flags)
{
- if (x->aux)
+ if (x->aux && (x->aux->trust || x->aux->reject))
return obj_trust(trust->arg1, x, flags);
return X509_TRUST_UNTRUSTED;
}
@@ -293,23 +293,26 @@ static int trust_compat(X509_TRUST *trust, X509 *x, int flags)
static int obj_trust(int id, X509 *x, int flags)
{
- ASN1_OBJECT *obj;
+ X509_CERT_AUX *ax = x->aux;
int i;
- X509_CERT_AUX *ax;
- ax = x->aux;
+
if (!ax)
return X509_TRUST_UNTRUSTED;
if (ax->reject) {
for (i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) {
- obj = sk_ASN1_OBJECT_value(ax->reject, i);
- if (OBJ_obj2nid(obj) == id)
+ ASN1_OBJECT *obj = sk_ASN1_OBJECT_value(ax->reject, i);
+ int nid = OBJ_obj2nid(obj);
+
+ if (nid == id || nid == NID_anyExtendedKeyUsage)
return X509_TRUST_REJECTED;
}
}
if (ax->trust) {
for (i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) {
- obj = sk_ASN1_OBJECT_value(ax->trust, i);
- if (OBJ_obj2nid(obj) == id)
+ ASN1_OBJECT *obj = sk_ASN1_OBJECT_value(ax->trust, i);
+ int nid = OBJ_obj2nid(obj);
+
+ if (nid == id || nid == NID_anyExtendedKeyUsage)
return X509_TRUST_TRUSTED;
}
/*