From a9f5e6b57f9bd3b596944f96f5d93de89ddc204a Mon Sep 17 00:00:00 2001 From: beck Date: Thu, 10 Nov 2022 16:52:19 +0000 Subject: [PATCH] Allow explicit cert trusts or distrusts for EKU any This matches the current OpenSSL behaviour introduced in their commit: commit 0daccd4dc1f1ac62181738a91714f35472e50f3c Date: Thu Jan 28 03:01:45 2016 -0500 ok jsing@ tb@ --- lib/libcrypto/x509/x509_trs.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/lib/libcrypto/x509/x509_trs.c b/lib/libcrypto/x509/x509_trs.c index 72d616a1066..a967edf9337 100644 --- a/lib/libcrypto/x509/x509_trs.c +++ b/lib/libcrypto/x509/x509_trs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_trs.c,v 1.25 2021/11/01 20:53:08 tb Exp $ */ +/* $OpenBSD: x509_trs.c,v 1.26 2022/11/10 16:52:19 beck Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -322,7 +322,7 @@ static int obj_trust(int id, X509 *x, int flags) { ASN1_OBJECT *obj; - int i; + int i, nid; X509_CERT_AUX *ax; ax = x->aux; @@ -331,14 +331,16 @@ obj_trust(int id, X509 *x, int flags) if (ax->reject) { for (i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) { obj = sk_ASN1_OBJECT_value(ax->reject, i); - if (OBJ_obj2nid(obj) == id) + nid = OBJ_obj2nid(obj); + if (nid == id || nid == NID_anyExtendedKeyUsage) return X509_TRUST_REJECTED; } } if (ax->trust) { for (i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) { obj = sk_ASN1_OBJECT_value(ax->trust, i); - if (OBJ_obj2nid(obj) == id) + nid = OBJ_obj2nid(obj); + if (nid == id || nid == NID_anyExtendedKeyUsage) return X509_TRUST_TRUSTED; } } -- 2.20.1