CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2023/06/25 07:52:27
Modified files:
lib/libcrypto/x509: x509_purp.c
Log message:
Check for duplicate X.509v3 extension OIDs
Per RFC 5280, 4.2: A certificate MUST NOT include more than one instance
of a particular extension.
This implements such a check in x509v3_cache_extensions() by sorting the
list of extensions and looking for duplicate neighbors. This sidesteps
complications from extensions we do not know about and keeps algorithmic
complexity reasonable. If the check fails, EXFLAG_INVALID is set on the
certificate, which means that the verifier will not validate it.
ok jsing
