Cache X509v3 extensions as soon as we have a cert

X509 API functions such as X509_check_ca() or X509_get_extension_flags()
can't be used reliably unless we know that X509v3 extensions are cached.
Otherwise they try to cache the extensions themselves but can't report
possible errors sensibly. They carry on and may return nonsense.

An old trick is to call X509_check_purpose() with a purpose of -1 which
is a wrapper around the internal x509v3_cache_extensions() that allows
error checking. Do this when we have a new cert. This way the API
functions affected by this can be relied upon. Another nice side effect
of doing this is that with LibreSSL we then know that the RFC 3779
extensions are in canonical form.

ok beck claudio

0 files changed, 0 insertions, 0 deletions