diff options
Diffstat (limited to 'src/lib/libcrypto/x509/x509_purp.c')
| -rw-r--r-- | src/lib/libcrypto/x509/x509_purp.c | 33 |
1 files changed, 2 insertions, 31 deletions
diff --git a/src/lib/libcrypto/x509/x509_purp.c b/src/lib/libcrypto/x509/x509_purp.c index 176d9d679f..621f6f0f90 100644 --- a/src/lib/libcrypto/x509/x509_purp.c +++ b/src/lib/libcrypto/x509/x509_purp.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_purp.c,v 1.21 2023/02/16 10:18:59 tb Exp $ */ | 1 | /* $OpenBSD: x509_purp.c,v 1.22 2023/04/16 08:06:42 tb Exp $ */ |
| 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL | 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL |
| 3 | * project 2001. | 3 | * project 2001. |
| 4 | */ | 4 | */ |
| @@ -380,7 +380,6 @@ X509_supported_extension(X509_EXTENSION *ex) | |||
| 380 | NID_sbgp_autonomousSysNum, /* 291 */ | 380 | NID_sbgp_autonomousSysNum, /* 291 */ |
| 381 | #endif | 381 | #endif |
| 382 | NID_policy_constraints, /* 401 */ | 382 | NID_policy_constraints, /* 401 */ |
| 383 | NID_proxyCertInfo, /* 663 */ | ||
| 384 | NID_name_constraints, /* 666 */ | 383 | NID_name_constraints, /* 666 */ |
| 385 | NID_policy_mappings, /* 747 */ | 384 | NID_policy_mappings, /* 747 */ |
| 386 | NID_inhibit_any_policy /* 748 */ | 385 | NID_inhibit_any_policy /* 748 */ |
| @@ -446,7 +445,6 @@ static void | |||
| 446 | x509v3_cache_extensions_internal(X509 *x) | 445 | x509v3_cache_extensions_internal(X509 *x) |
| 447 | { | 446 | { |
| 448 | BASIC_CONSTRAINTS *bs; | 447 | BASIC_CONSTRAINTS *bs; |
| 449 | PROXY_CERT_INFO_EXTENSION *pci; | ||
| 450 | ASN1_BIT_STRING *usage; | 448 | ASN1_BIT_STRING *usage; |
| 451 | ASN1_BIT_STRING *ns; | 449 | ASN1_BIT_STRING *ns; |
| 452 | EXTENDED_KEY_USAGE *extusage; | 450 | EXTENDED_KEY_USAGE *extusage; |
| @@ -481,30 +479,6 @@ x509v3_cache_extensions_internal(X509 *x) | |||
| 481 | x->ex_flags |= EXFLAG_INVALID; | 479 | x->ex_flags |= EXFLAG_INVALID; |
| 482 | } | 480 | } |
| 483 | 481 | ||
| 484 | /* Handle proxy certificates */ | ||
| 485 | if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, &i, NULL))) { | ||
| 486 | if (x->ex_flags & EXFLAG_CA || | ||
| 487 | X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0 || | ||
| 488 | X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) { | ||
| 489 | x->ex_flags |= EXFLAG_INVALID; | ||
| 490 | } | ||
| 491 | if (pci->pcPathLengthConstraint) { | ||
| 492 | if (pci->pcPathLengthConstraint->type == | ||
| 493 | V_ASN1_NEG_INTEGER) { | ||
| 494 | x->ex_flags |= EXFLAG_INVALID; | ||
| 495 | x->ex_pcpathlen = 0; | ||
| 496 | } else | ||
| 497 | x->ex_pcpathlen = | ||
| 498 | ASN1_INTEGER_get(pci-> | ||
| 499 | pcPathLengthConstraint); | ||
| 500 | } else | ||
| 501 | x->ex_pcpathlen = -1; | ||
| 502 | PROXY_CERT_INFO_EXTENSION_free(pci); | ||
| 503 | x->ex_flags |= EXFLAG_PROXY; | ||
| 504 | } else if (i != -1) { | ||
| 505 | x->ex_flags |= EXFLAG_INVALID; | ||
| 506 | } | ||
| 507 | |||
| 508 | /* Handle key usage */ | 482 | /* Handle key usage */ |
| 509 | if ((usage = X509_get_ext_d2i(x, NID_key_usage, &i, NULL))) { | 483 | if ((usage = X509_get_ext_d2i(x, NID_key_usage, &i, NULL))) { |
| 510 | if (usage->length > 0) { | 484 | if (usage->length > 0) { |
| @@ -908,10 +882,7 @@ X509_check_issued(X509 *issuer, X509 *subject) | |||
| 908 | return ret; | 882 | return ret; |
| 909 | } | 883 | } |
| 910 | 884 | ||
| 911 | if (subject->ex_flags & EXFLAG_PROXY) { | 885 | if (ku_reject(issuer, KU_KEY_CERT_SIGN)) |
| 912 | if (ku_reject(issuer, KU_DIGITAL_SIGNATURE)) | ||
| 913 | return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE; | ||
| 914 | } else if (ku_reject(issuer, KU_KEY_CERT_SIGN)) | ||
| 915 | return X509_V_ERR_KEYUSAGE_NO_CERTSIGN; | 886 | return X509_V_ERR_KEYUSAGE_NO_CERTSIGN; |
| 916 | return X509_V_OK; | 887 | return X509_V_OK; |
| 917 | } | 888 | } |