Check for duplicate X.509v3 extension OIDs - openbsd - A mirror of https://github.com/libressl/openbsd.git

diff options

author	tb <>	2023-06-25 13:52:27 +0000
committer	tb <>	2023-06-25 13:52:27 +0000
commit	59a4ff4a98546fcbdec1be40dac8c219cb5f5e95 (patch)
tree	0a021ec29597e06c18b7ca843457986e9d026455 /src/lib/libcrypto/ecdsa/ecs_ossl.c
parent	8b6c9ea88db3e77ebd54669fbcaad15b57395510 (diff)
download	openbsd-59a4ff4a98546fcbdec1be40dac8c219cb5f5e95.tar.gz openbsd-59a4ff4a98546fcbdec1be40dac8c219cb5f5e95.tar.bz2 openbsd-59a4ff4a98546fcbdec1be40dac8c219cb5f5e95.zip

Check for duplicate X.509v3 extension OIDs

Per RFC 5280, 4.2: A certificate MUST NOT include more than one instance of a particular extension. This implements such a check in x509v3_cache_extensions() by sorting the list of extensions and looking for duplicate neighbors. This sidesteps complications from extensions we do not know about and keeps algorithmic complexity reasonable. If the check fails, EXFLAG_INVALID is set on the certificate, which means that the verifier will not validate it. ok jsing

Diffstat (limited to 'src/lib/libcrypto/ecdsa/ecs_ossl.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: