If extensions are encountered on a X.509 V1 cert, mark as invalid

While there, explicitly check for 0 - as X509_get_version() is a wrapper around the less than beloved ASN1_INTEGER_get(). OK tb@
author: job <> 2023-04-23 21:39:19 +0000
committer: job <> 2023-04-23 21:39:19 +0000
commit: 6890c17c165600353035d2ed857ba0e7c4005d42 (patch)
tree: be27adbe508598a0886d58f7a61e2b70a6fcc40d
parent: 4c20d9bfcef952ee5a32034ed25c792413465fde (diff)
download: openbsd-6890c17c165600353035d2ed857ba0e7c4005d42.tar.gz
openbsd-6890c17c165600353035d2ed857ba0e7c4005d42.tar.bz2
openbsd-6890c17c165600353035d2ed857ba0e7c4005d42.zip
1 files changed, 5 insertions, 2 deletions
diff --git a/src/lib/libcrypto/x509/x509_purp.c b/src/lib/libcrypto/x509/x509_purp.c
index 621f6f0f90..e0069313b9 100644
--- a/src/lib/libcrypto/x509/x509_purp.c
+++ b/src/lib/libcrypto/x509/x509_purp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_purp.c,v 1.22 2023/04/16 08:06:42 tb Exp $ */
+/* $OpenBSD: x509_purp.c,v 1.23 2023/04/23 21:39:19 job Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2001.
 */
@@ -457,8 +457,11 @@ x509v3_cache_extensions_internal(X509 *x)
        X509_digest(x, X509_CERT_HASH_EVP, x->hash, NULL);
        /* V1 should mean no extensions ... */
-        if (!X509_get_version(x))
+        if (X509_get_version(x) == 0) {
                x->ex_flags |= EXFLAG_V1;
+                if (X509_get_ext_count(x) > 0)
+                        x->ex_flags |= EXFLAG_INVALID;
+        }
        /* Handle basic constraints */
        if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, &i, NULL))) {
author	job <>	2023-04-23 21:39:19 +0000
committer	job <>	2023-04-23 21:39:19 +0000
commit	6890c17c165600353035d2ed857ba0e7c4005d42 (patch)
tree	be27adbe508598a0886d58f7a61e2b70a6fcc40d
parent	4c20d9bfcef952ee5a32034ed25c792413465fde (diff)
download	openbsd-6890c17c165600353035d2ed857ba0e7c4005d42.tar.gz openbsd-6890c17c165600353035d2ed857ba0e7c4005d42.tar.bz2 openbsd-6890c17c165600353035d2ed857ba0e7c4005d42.zip