Don't allow EKU in signed objects. Fixes #645.

svn path=/trunk/; revision=5586
author: Rob Austein <sra@hactrn.net> 2013-11-07 00:38:44 +0000
committer: Rob Austein <sra@hactrn.net> 2013-11-07 00:38:44 +0000
commit: 53c89bbe26005845b25e65bcda96136ffb116650 (patch)
tree: e47674a3f4852f2f3850a054cf6fc226662c2b5f /rcynic
parent: 4d80b9700fffad21a95ca4968954f8bf9c575f79 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/rcynic/rcynic.c b/rcynic/rcynic.c
index 4c1c5f68..ba0b7352 100644
--- a/rcynic/rcynic.c
+++ b/rcynic/rcynic.c
@@ -3794,7 +3794,7 @@ static int check_x509(rcynic_ctx_t *rc,
 
   if (X509_get_ext_by_NID(x, NID_ext_key_usage, -1) >= 0) {
     ex_count--;
-    if (certinfo->ca) {
+    if (certinfo->ca || !endswith(uri->s, ".cer")) {
       log_validation_status(rc, uri, inappropriate_eku_extension, generation);
       goto done;
     }
author	Rob Austein <sra@hactrn.net>	2013-11-07 00:38:44 +0000
committer	Rob Austein <sra@hactrn.net>	2013-11-07 00:38:44 +0000
commit	53c89bbe26005845b25e65bcda96136ffb116650 (patch)
tree	e47674a3f4852f2f3850a054cf6fc226662c2b5f /rcynic
parent	4d80b9700fffad21a95ca4968954f8bf9c575f79 (diff)