git.ipfire.org Git - thirdparty/openssl.git/commit

Fix issue 1418 by moving check of KU_KEY_CERT_SIGN and weakening check_issued()

Move check that cert signing is allowed from x509v3_cache_extensions() to
where it belongs: internal_verify(), generalize it for proxy cert signing.
Correct and simplify check_issued(), now checking self-issued (not: self-signed).
Add test case to 25-test_verify.t that demonstrates successful fix.

As prerequisites, this adds the static function check_sig_alg_match()
and the internal functions x509_likely_issued() and x509_signing_allowed().

This is a backport of the core of PR #10587.
Fixes #1418

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12357)

author	Dr. David von Oheimb <David.von.Oheimb@siemens.com>
	Tue, 24 Dec 2019 10:25:15 +0000 (11:25 +0100)
committer	Dr. David von Oheimb <David.von.Oheimb@siemens.com>
	Thu, 16 Jul 2020 19:47:48 +0000 (21:47 +0200)
commit	e2590c3a162eb118c36b09c2168164283aa099b4
tree	a632b8db811a2e7e023aad774d1719f6e364ebaa	tree
parent	e21519280b3c3e0b264632fd72ce503a9d9ced73	commit \| diff

crypto/x509/x509_local.h		diff \| blob \| blame \| history
crypto/x509/x509_vfy.c		diff \| blob \| blame \| history
crypto/x509v3/v3_purp.c		diff \| blob \| blame \| history
doc/man3/X509_STORE_set_verify_cb_func.pod		diff \| blob \| blame \| history
doc/man3/X509_check_issued.pod		diff \| blob \| blame \| history
include/openssl/x509_vfy.h		diff \| blob \| blame \| history
test/certs/ee-self-signed.pem	[new file with mode: 0644]	blob
test/certs/setup.sh		diff \| blob \| blame \| history
test/recipes/25-test_verify.t		diff \| blob \| blame \| history