]> git.ipfire.org Git - thirdparty/openssl.git/commit
projects / thirdparty / openssl.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: e2590c3) | patch
x509_vfy.c: Improve key usage checks in internal_verify() of cert chains
authorDr. David von Oheimb <David.von.Oheimb@siemens.com>
Fri, 3 Jul 2020 19:19:55 +0000 (21:19 +0200)
committerDr. David von Oheimb <David.von.Oheimb@siemens.com>
Thu, 16 Jul 2020 19:48:22 +0000 (21:48 +0200)
commit42bb51e59308b3ebc5cc1c35ff4822fba6b52d79
treed6fcd1454fe15a16edddae32ecc15a50ebeaa26dtree
parente2590c3a162eb118c36b09c2168164283aa099b4commit | diff
x509_vfy.c: Improve key usage checks in internal_verify() of cert chains

If a presumably self-signed cert is last in chain we verify its signature
only if X509_V_FLAG_CHECK_SS_SIGNATURE is set. Upon this request we do the
signature verification, but not in case it is a (non-conforming) self-issued
CA certificate with a key usage extension that does not include keyCertSign.

Make clear when we must verify the signature of a certificate
and when we must adhere to key usage restrictions of the 'issuing' cert.
Add some comments for making internal_verify() easier to understand.
Update the documentation of X509_V_FLAG_CHECK_SS_SIGNATURE accordingly.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12357)
crypto/x509/x509_vfy.c diff | blob | blame | history
doc/man1/verify.pod diff | blob | blame | history
doc/man3/X509_VERIFY_PARAM_set_flags.pod diff | blob | blame | history
Mirror of https://github.com/openssl/openssl.git