Add a strict rfc3280 verification flag. rfc3280 requires certificates
to have KeyUsage.keyCertSign if they are to be used for signing of certificates, but the step in the verifiation is optional. git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@18086 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
@@ -35,18 +35,20 @@
|
||||
RCSID("$Id$");
|
||||
#include "crypto-headers.h"
|
||||
|
||||
|
||||
struct hx509_verify_ctx_data {
|
||||
hx509_certs trust_anchors;
|
||||
int flags;
|
||||
#define HX509_VERIFY_CTX_F_TIME_SET 1
|
||||
#define HX509_VERIFY_CTX_F_ALLOW_PROXY_CERTIFICATE 2
|
||||
#define HX509_VERIFY_CTX_F_REQUIRE_RFC3280 4
|
||||
time_t time_now;
|
||||
unsigned int max_depth;
|
||||
#define HX509_VERIFY_MAX_DEPTH 30
|
||||
hx509_revoke_ctx revoke_ctx;
|
||||
};
|
||||
|
||||
#define REQUIRE_RFC3280(ctx) ((ctx)->flags & HX509_VERIFY_CTX_F_REQUIRE_RFC3280)
|
||||
|
||||
struct _hx509_cert_attrs {
|
||||
size_t len;
|
||||
hx509_cert_attribute *val;
|
||||
@@ -333,6 +335,15 @@ hx509_verify_set_proxy_certificate(hx509_verify_ctx ctx, int boolean)
|
||||
ctx->flags &= ~HX509_VERIFY_CTX_F_ALLOW_PROXY_CERTIFICATE;
|
||||
}
|
||||
|
||||
void
|
||||
hx509_verify_set_strict_rfc3280_verification(hx509_verify_ctx ctx, int boolean)
|
||||
{
|
||||
if (boolean)
|
||||
ctx->flags |= HX509_VERIFY_CTX_F_REQUIRE_RFC3280;
|
||||
else
|
||||
ctx->flags &= ~HX509_VERIFY_CTX_F_REQUIRE_RFC3280;
|
||||
}
|
||||
|
||||
static const Extension *
|
||||
find_extension(const Certificate *cert, const heim_oid *oid, int *idx)
|
||||
{
|
||||
@@ -752,11 +763,14 @@ find_parent(hx509_context context,
|
||||
}
|
||||
}
|
||||
|
||||
#if 0
|
||||
/*
|
||||
* Assume trust anchors isn't proxy certificates, require
|
||||
* KeyUsage.KeyCertSign
|
||||
*/
|
||||
q.match |= HX509_QUERY_KU_KEYCERTSIGN;
|
||||
#endif
|
||||
|
||||
ret = hx509_certs_find(context, trust_anchors, &q, parent);
|
||||
if (ret == 0) {
|
||||
free_AuthorityKeyIdentifier(&ai);
|
||||
@@ -782,7 +796,7 @@ find_parent(hx509_context context,
|
||||
}
|
||||
|
||||
hx509_set_error_string(context, 0, HX509_ISSUER_NOT_FOUND,
|
||||
"Failed to find issuer for"
|
||||
"Failed to find issuer for "
|
||||
"certificate with subject: %s", str);
|
||||
free(str);
|
||||
}
|
||||
@@ -1398,7 +1412,9 @@ hx509_verify_path(hx509_context context,
|
||||
|
||||
switch (type) {
|
||||
case CA_CERT:
|
||||
ret = check_key_usage(context, c, 1 << 5, TRUE); /* XXX make constants */
|
||||
/* XXX make constants for keyusage */
|
||||
ret = check_key_usage(context, c, 1 << 5,
|
||||
REQUIRE_RFC3280(ctx) ? TRUE : FALSE);
|
||||
if (ret)
|
||||
goto out;
|
||||
break;
|
||||
|
Reference in New Issue
Block a user