check the EE if its a proxy certificate and fail up front

2013-10-21 08:43:24 -07:00
parent 056224c32f
commit 7439cb7c54
1 changed files with 10 additions and 0 deletions
--- a/lib/hx509/cert.c
+++ b/lib/hx509/cert.c
@@ -2002,6 +2002,16 @@ hx509_verify_path(hx509_context context,

    memset(&proxy_issuer, 0, sizeof(proxy_issuer));

+    if ((ctx->flags & HX509_VERIFY_CTX_F_ALLOW_PROXY_CERTIFICATE) == 0 &&
+	is_proxy_cert(context, cert->data, NULL) == 0)
+    {
+	ret = HX509_PROXY_CERT_INVALID;
+	hx509_set_error_string(context, 0, ret,
+			       "Proxy certificate is not allowed as an EE "
+			       "certificae if proxy certificate is disabled");
+	return ret;
+    }
+
    ret = init_name_constraints(&nc);
    if (ret)
 	return ret;