feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Check for Certificate Sign key usage bit on intermediate CAs.

Browse Source
This commit is contained in:
John Safranek
2014-03-28 10:10:22 -07:00
parent bbc9c53b90
commit 4b22986e74
1 changed files with 7 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/ssl.c
View File

@@ -1497,6 +1497,13 @@ int AddCA(CYASSL_CERT_MANAGER* cm, buffer der, int type, int verify)
CYASSL_MSG(" Can't add as CA if not actually one"); CYASSL_MSG(" Can't add as CA if not actually one");
ret = NOT_CA_ERROR; ret = NOT_CA_ERROR;
} }
else if (ret == 0 && cert.isCA == 1 && type != CYASSL_USER_CA &&
(cert.extKeyUsage & KEYUSE_KEY_CERT_SIGN) == 0) {
/* Intermediate CA certs are required to have the keyCertSign
* extension set. User loaded root certs are not. */
CYASSL_MSG(" Doesn't have key usage certificate signing");
ret = NOT_CA_ERROR;
}
else if (ret == 0 && AlreadySigner(cm, subjectHash)) { else if (ret == 0 && AlreadySigner(cm, subjectHash)) {
CYASSL_MSG(" Already have this CA, not adding again"); CYASSL_MSG(" Already have this CA, not adding again");
(void)ret; (void)ret;