diff options
| author | Rob Austein <sra@hactrn.net> | 2011-04-13 21:58:44 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2011-04-13 21:58:44 +0000 |
| commit | 335401110f4f6f37448c9d3ada72a04799fc0055 (patch) | |
| tree | a71247d072d2c9be36254511d250a6107b740a9f | |
| parent | c29b5dfb1b0d1664d761f78acd2db378c4886a95 (diff) | |
Don't allow EKU extension in CA certs.
svn path=/rcynic/rcynic.c; revision=3771
| -rw-r--r-- | rcynic/rcynic.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/rcynic/rcynic.c b/rcynic/rcynic.c index 4e5b3db1..bdd9a344 100644 --- a/rcynic/rcynic.c +++ b/rcynic/rcynic.c @@ -2045,7 +2045,7 @@ static int check_x509(const rcynic_ctx_t *rc, * Also returns failure in a few null-pointer cases that can't * possibly conform to profile. */ -static int check_cert_only_allowed_extensions(const X509 *x) +static int check_cert_only_allowed_extensions(const X509 *x, const int allow_eku) { int i; @@ -2059,7 +2059,6 @@ static int check_cert_only_allowed_extensions(const X509 *x) case NID_subject_key_identifier: case NID_authority_key_identifier: case NID_key_usage: - case NID_ext_key_usage: case NID_crl_distribution_points: case NID_info_access: case NID_sinfo_access: @@ -2067,6 +2066,11 @@ static int check_cert_only_allowed_extensions(const X509 *x) case NID_sbgp_ipAddrBlock: case NID_sbgp_autonomousSysNum: continue; + case NID_ext_key_usage: + if (allow_eku) + continue; + else + return 0; default: return 0; } @@ -2146,7 +2150,7 @@ static X509 *check_cert_1(const rcynic_ctx_t *rc, goto punt; } - if (!check_cert_only_allowed_extensions(x)) { + if (!check_cert_only_allowed_extensions(x, !subj->ca)) { reject(rc, uri, disallowed_extension, "due to disallowed X.509v3 extension"); goto punt; |