Check for duplicate X.509v3 extension OIDs

Per RFC 5280, 4.2: A certificate MUST NOT include more than one instance
of a particular extension.

This implements such a check in x509v3_cache_extensions() by sorting the
list of extensions and looking for duplicate neighbors. This sidesteps
complications from extensions we do not know about and keeps algorithmic
complexity reasonable. If the check fails, EXFLAG_INVALID is set on the
certificate, which means that the verifier will not validate it.

ok jsing

0 files changed, 0 insertions, 0 deletions