From e797c5a42c887410bf873c644e71cbf3864ec43e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Wed, 10 Jan 2007 22:11:34 +0000
Subject: [PATCH] BasicConstraints vs criticality bit is complicated and not
 really possible to evaluate on its own, silly RFC3280.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@19820 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 lib/hx509/print.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/lib/hx509/print.c b/lib/hx509/print.c
index df3a810ce..4a5df4847 100644
--- a/lib/hx509/print.c
+++ b/lib/hx509/print.c
@@ -450,8 +450,12 @@ check_basicConstraints(hx509_validate_ctx ctx,
 		       "\tpathLenConstraint: %d\n", *b.pathLenConstraint);
 
     if (b.cA) {
-	if (*b.cA)
+	if (*b.cA) {
+	    if (!e->critical)
+		validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+			       "Is a CA and not BasicConstraints CRITICAL\n");
 	    status->isca = 1;
+	}
 	else
 	    validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
 			   "cA is FALSE, not allowed to be\n");
@@ -487,7 +491,7 @@ struct {
     { ext(keyUsage, Null), S_C },
     { ext(subjectAltName, subjectAltName), M_N_C },
     { ext(issuerAltName, issuerAltName), S_N_C },
-    { ext(basicConstraints, basicConstraints), M_C },
+    { ext(basicConstraints, basicConstraints), D_C },
     { ext(cRLNumber, Null), M_N_C },
     { ext(cRLReason, Null), M_N_C },
     { ext(holdInstructionCode, Null), M_N_C },