oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Fix NC, comment on how to use _hx509_check_key_usage.

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@21860 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2007-08-08 10:25:18 +00:00
parent 8902278a94
commit 0836763de3
1 changed files with 18 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
lib/hx509/cert.c
View File

@@ -605,6 +605,12 @@ check_key_usage(hx509_context context, const Certificate *cert,
return 0; return 0;
} }
/*
* Return 0 on matching key usage 'flags' for 'cert', otherwise return
* an error code. If 'req_present' the existance is required of the
* KeyUsage extension.
*/
int int
_hx509_check_key_usage(hx509_context context, hx509_cert cert, _hx509_check_key_usage(hx509_context context, hx509_cert cert,
unsigned flags, int req_present) unsigned flags, int req_present)
@@ -778,7 +784,8 @@ certificate_is_anchor(hx509_context context,
static int static int
certificate_is_self_signed(const Certificate *cert) certificate_is_self_signed(const Certificate *cert)
{ {
return _hx509_cert_is_parent_cmp(cert, cert, 1) == 0; return _hx509_name_cmp(&cert->tbsCertificate.subject,
&cert->tbsCertificate.issuer) == 0;
} }
/* /*
@@ -1224,6 +1231,7 @@ add_name_constraints(hx509_context context, const Certificate *c, int not_ca,
"have NameConstraints"); "have NameConstraints");
} else { } else {
NameConstraints *val; NameConstraints *val;
printf("adding nc\n");
val = realloc(nc->val, sizeof(nc->val[0]) * (nc->len + 1)); val = realloc(nc->val, sizeof(nc->val[0]) * (nc->len + 1));
if (val == NULL) { if (val == NULL) {
hx509_clear_error_string(context); hx509_clear_error_string(context);
@@ -1498,7 +1506,7 @@ hx509_verify_path(hx509_context context,
#if 0 #if 0
const AlgorithmIdentifier *alg_id; const AlgorithmIdentifier *alg_id;
#endif #endif
int ret, i, proxy_cert_depth; int ret, i, proxy_cert_depth, selfsigned_depth;
enum certtype type; enum certtype type;
Name proxy_issuer; Name proxy_issuer;
hx509_certs anchors = NULL; hx509_certs anchors = NULL;
@@ -1550,6 +1558,7 @@ hx509_verify_path(hx509_context context,
*/ */
proxy_cert_depth = 0; proxy_cert_depth = 0;
selfsigned_depth = 0;
if (ctx->flags & HX509_VERIFY_CTX_F_ALLOW_PROXY_CERTIFICATE) if (ctx->flags & HX509_VERIFY_CTX_F_ALLOW_PROXY_CERTIFICATE)
type = PROXY_CERT; type = PROXY_CERT;
@@ -1578,6 +1587,10 @@ hx509_verify_path(hx509_context context,
"Key usage missing from CA certificate"); "Key usage missing from CA certificate");
goto out; goto out;
} }
if (certificate_is_self_signed(c))
selfsigned_depth++;
break; break;
case PROXY_CERT: { case PROXY_CERT: {
ProxyCertInfo info; ProxyCertInfo info;
@@ -1705,7 +1718,8 @@ hx509_verify_path(hx509_context context,
break; break;
} }
ret = check_basic_constraints(context, c, type, i - proxy_cert_depth); ret = check_basic_constraints(context, c, type,
i - proxy_cert_depth - selfsigned_depth);
if (ret) if (ret)
goto out; goto out;
@@ -1745,19 +1759,8 @@ hx509_verify_path(hx509_context context,
c = _hx509_get_cert(path.val[i]); c = _hx509_get_cert(path.val[i]);
#if 0
/* check that algorithm and parameters is the same */
/* XXX this is wrong */
ret = alg_cmp(&c->tbsCertificate.signature, alg_id);
if (ret) {
hx509_clear_error_string(context);
ret = HX509_PATH_ALGORITHM_CHANGED;
goto out;
}
#endif
/* verify name constraints, not for selfsigned and anchor */ /* verify name constraints, not for selfsigned and anchor */
if (!certificate_is_self_signed(c) || i == path.len - 1) { if (!certificate_is_self_signed(c) || i != path.len - 1) {
ret = check_name_constraints(context, &nc, c); ret = check_name_constraints(context, &nc, c);
if (ret) { if (ret) {
goto out; goto out;