-/* $OpenBSD: x509_purp.c,v 1.21 2023/02/16 10:18:59 tb Exp $ */
+/* $OpenBSD: x509_purp.c,v 1.22 2023/04/16 08:06:42 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2001.
*/
NID_sbgp_autonomousSysNum, /* 291 */
#endif
NID_policy_constraints, /* 401 */
- NID_proxyCertInfo, /* 663 */
NID_name_constraints, /* 666 */
NID_policy_mappings, /* 747 */
NID_inhibit_any_policy /* 748 */
x509v3_cache_extensions_internal(X509 *x)
{
BASIC_CONSTRAINTS *bs;
- PROXY_CERT_INFO_EXTENSION *pci;
ASN1_BIT_STRING *usage;
ASN1_BIT_STRING *ns;
EXTENDED_KEY_USAGE *extusage;
x->ex_flags |= EXFLAG_INVALID;
}
- /* Handle proxy certificates */
- if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, &i, NULL))) {
- if (x->ex_flags & EXFLAG_CA ||
- X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0 ||
- X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) {
- x->ex_flags |= EXFLAG_INVALID;
- }
- if (pci->pcPathLengthConstraint) {
- if (pci->pcPathLengthConstraint->type ==
- V_ASN1_NEG_INTEGER) {
- x->ex_flags |= EXFLAG_INVALID;
- x->ex_pcpathlen = 0;
- } else
- x->ex_pcpathlen =
- ASN1_INTEGER_get(pci->
- pcPathLengthConstraint);
- } else
- x->ex_pcpathlen = -1;
- PROXY_CERT_INFO_EXTENSION_free(pci);
- x->ex_flags |= EXFLAG_PROXY;
- } else if (i != -1) {
- x->ex_flags |= EXFLAG_INVALID;
- }
-
/* Handle key usage */
if ((usage = X509_get_ext_d2i(x, NID_key_usage, &i, NULL))) {
if (usage->length > 0) {
return ret;
}
- if (subject->ex_flags & EXFLAG_PROXY) {
- if (ku_reject(issuer, KU_DIGITAL_SIGNATURE))
- return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE;
- } else if (ku_reject(issuer, KU_KEY_CERT_SIGN))
+ if (ku_reject(issuer, KU_KEY_CERT_SIGN))
return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
return X509_V_OK;
}
-/* $OpenBSD: x509_vfy.c,v 1.111 2023/02/16 08:38:17 tb Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.112 2023/04/16 08:06:42 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
int (*cb)(int xok, X509_STORE_CTX *xctx);
int proxy_path_length = 0;
int purpose;
- int allow_proxy_certs;
cb = ctx->verify_cb;
must_be_ca = -1;
/* CRL path validation */
- if (ctx->parent) {
- allow_proxy_certs = 0;
+ if (ctx->parent)
purpose = X509_PURPOSE_CRL_SIGN;
- } else {
- allow_proxy_certs =
- !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
+ else
purpose = ctx->param->purpose;
- }
/* Check all untrusted certificates */
for (i = 0; i < ctx->num_untrusted; i++) {
if (!ok)
goto end;
}
- if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) {
- ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED;
- ctx->error_depth = i;
- ctx->current_cert = x;
- ok = cb(0, ctx);
- if (!ok)
- goto end;
- }
ret = X509_check_ca(x);
switch (must_be_ca) {
case -1:
/* Increment path length if not self issued */
if (!(x->ex_flags & EXFLAG_SI))
plen++;
- /* If this certificate is a proxy certificate, the next
- certificate must be another proxy certificate or a EE
- certificate. If not, the next certificate must be a
- CA certificate. */
- if (x->ex_flags & EXFLAG_PROXY) {
- if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) {
- ctx->error =
- X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
- ctx->error_depth = i;
- ctx->current_cert = x;
- ok = cb(0, ctx);
- if (!ok)
- goto end;
- }
- proxy_path_length++;
- must_be_ca = 0;
- } else
- must_be_ca = 1;
+ must_be_ca = 1;
}
ok = 1;
projects / openbsd / commitdiff