aboutsummaryrefslogtreecommitdiff
path: root/crypto/x509v3/v3_purp.c
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/x509v3/v3_purp.c')
-rw-r--r--crypto/x509v3/v3_purp.c29
1 files changed, 22 insertions, 7 deletions
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index 0d9bc58ce75a..36b0d87a0d8b 100644
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -395,9 +395,6 @@ static void x509v3_cache_extensions(X509 *x)
#ifndef OPENSSL_NO_SHA
X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
#endif
- /* Does subject name match issuer ? */
- if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
- x->ex_flags |= EXFLAG_SI;
/* V1 should mean no extensions ... */
if (!X509_get_version(x))
x->ex_flags |= EXFLAG_V1;
@@ -479,6 +476,10 @@ static void x509v3_cache_extensions(X509 *x)
case NID_dvcs:
x->ex_xkusage |= XKU_DVCS;
break;
+
+ case NID_anyExtendedKeyUsage:
+ x->ex_xkusage |= XKU_ANYEKU;
+ break;
}
}
sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free);
@@ -494,6 +495,13 @@ static void x509v3_cache_extensions(X509 *x)
}
x->skid = X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL);
x->akid = X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL);
+ /* Does subject name match issuer ? */
+ if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) {
+ x->ex_flags |= EXFLAG_SI;
+ /* If SKID matches AKID also indicate self signed */
+ if (X509_check_akid(x, x->akid) == X509_V_OK)
+ x->ex_flags |= EXFLAG_SS;
+ }
x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL);
if (!x->nc && (i != -1))
@@ -598,8 +606,8 @@ static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x,
return 0;
if (ca)
return check_ssl_ca(x);
- /* We need to do digital signatures with it */
- if (ku_reject(x, KU_DIGITAL_SIGNATURE))
+ /* We need to do digital signatures or key agreement */
+ if (ku_reject(x, KU_DIGITAL_SIGNATURE | KU_KEY_AGREEMENT))
return 0;
/* nsCertType if present should allow SSL client use */
if (ns_reject(x, NS_SSL_CLIENT))
@@ -607,6 +615,14 @@ static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x,
return 1;
}
+/*
+ * Key usage needed for TLS/SSL server: digital signature, encipherment or
+ * key agreement. The ssl code can check this more thoroughly for individual
+ * key types.
+ */
+#define KU_TLS \
+ KU_DIGITAL_SIGNATURE|KU_KEY_ENCIPHERMENT|KU_KEY_AGREEMENT
+
static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x,
int ca)
{
@@ -617,8 +633,7 @@ static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x,
if (ns_reject(x, NS_SSL_SERVER))
return 0;
- /* Now as for keyUsage: we'll at least need to sign OR encipher */
- if (ku_reject(x, KU_DIGITAL_SIGNATURE | KU_KEY_ENCIPHERMENT))
+ if (ku_reject(x, KU_TLS))
return 0;
return 1;
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-30 18:07:13 +0000