26 lines
1.1 KiB
Diff
26 lines
1.1 KiB
Diff
Reading the NID_key_usage extension doesn't ensure that the ex_flags and
|
|
ex_kusage fields that the ku_reject() macro checks. It'd probably be
|
|
better to check the usage string directly, but calling X509_check_ca()
|
|
makes the right things happen. RT#6775, part of #629022.
|
|
|
|
Index: src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
===================================================================
|
|
--- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c (revision 24312)
|
|
+++ src/plugins/preauth/pkinit/pkinit_crypto_openssl.c (revision 24313)
|
|
@@ -2005,6 +2005,7 @@
|
|
pkiDebug("%s: found acceptable EKU, checking for digitalSignature\n", __FUNCTION__);
|
|
|
|
/* check that digitalSignature KeyUsage is present */
|
|
+ X509_check_ca(reqctx->received_cert);
|
|
if ((usage = X509_get_ext_d2i(reqctx->received_cert,
|
|
NID_key_usage, NULL, NULL))) {
|
|
|
|
@@ -4551,6 +4552,7 @@
|
|
}
|
|
|
|
/* Make sure usage exists before checking bits */
|
|
+ X509_check_ca(x);
|
|
usage = X509_get_ext_d2i(x, NID_key_usage, NULL, NULL);
|
|
if (usage) {
|
|
if (!ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE))
|