diff options
| author | Job Snijders <job@cvs.openbsd.org> | 2023-04-23 21:39:20 +0000 |
|---|---|---|
| committer | Job Snijders <job@cvs.openbsd.org> | 2023-04-23 21:39:20 +0000 |
| commit | ed22dfb230260ca54e77bc90151898040b5d53cc (patch) | |
| tree | ac5cee04433c199ca4fc071ad1cd50e6913984c7 /lib | |
| parent | 51a2efc4d0c7da6cafddb26f81bf783fc89823c5 (diff) | |
If extensions are encountered on a X.509 V1 cert, mark as invalid
While there, explicitly check for 0 - as X509_get_version() is a wrapper
around the less than beloved ASN1_INTEGER_get().
OK tb@
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/libcrypto/x509/x509_purp.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/lib/libcrypto/x509/x509_purp.c b/lib/libcrypto/x509/x509_purp.c index 621f6f0f901..e0069313b93 100644 --- a/lib/libcrypto/x509/x509_purp.c +++ b/lib/libcrypto/x509/x509_purp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_purp.c,v 1.22 2023/04/16 08:06:42 tb Exp $ */ +/* $OpenBSD: x509_purp.c,v 1.23 2023/04/23 21:39:19 job Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2001. */ @@ -457,8 +457,11 @@ x509v3_cache_extensions_internal(X509 *x) X509_digest(x, X509_CERT_HASH_EVP, x->hash, NULL); /* V1 should mean no extensions ... */ - if (!X509_get_version(x)) + if (X509_get_version(x) == 0) { x->ex_flags |= EXFLAG_V1; + if (X509_get_ext_count(x) > 0) + x->ex_flags |= EXFLAG_INVALID; + } /* Handle basic constraints */ if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, &i, NULL))) { |