]> git.ipfire.org Git - thirdparty/openssl.git/commit
projects / thirdparty / openssl.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 1337a3a) | patch
x509_vfy.c: Improve key usage checks in internal_verify() of cert chains
authorDr. David von Oheimb <David.von.Oheimb@siemens.com>
Fri, 3 Jul 2020 19:19:55 +0000 (21:19 +0200)
committerDr. David von Oheimb <David.von.Oheimb@siemens.com>
Thu, 16 Jul 2020 13:48:53 +0000 (15:48 +0200)
commit0b670a2101c6cdcc3f2a4ed168f75243fe082a2b
tree57833015d59b7b47c6f626b59d11dddfb99511c6tree
parent1337a3a998b7dacd55e31c21bb9c647099e63e86commit | diff
x509_vfy.c: Improve key usage checks in internal_verify() of cert chains

If a presumably self-signed cert is last in chain we verify its signature
only if X509_V_FLAG_CHECK_SS_SIGNATURE is set. Upon this request we do the
signature verification, but not in case it is a (non-conforming) self-issued
CA certificate with a key usage extension that does not include keyCertSign.

Make clear when we must verify the signature of a certificate
and when we must adhere to key usage restrictions of the 'issuing' cert.
Add some comments for making internal_verify() easier to understand.
Update the documentation of X509_V_FLAG_CHECK_SS_SIGNATURE accordingly.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12375)
crypto/x509/v3_purp.c diff | blob | blame | history
crypto/x509/x509_vfy.c diff | blob | blame | history
doc/man1/openssl.pod diff | blob | blame | history
doc/man3/X509_VERIFY_PARAM_set_flags.pod diff | blob | blame | history
Mirror of https://github.com/openssl/openssl.git