Hi,
Following this errata report https://www.rfc-editor.org/errata/eid6854
If the Basic Constraints extension is present, and the certificate is
*not* a CA - as determined by X509_check_ca(3), leave the purpose as
CERT_PURPOSE_INVALID.
While there, use the value name rather than 0.
OK?
Kind regards,
Job
Index: x509.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/x509.c,v
retrieving revision 1.42
diff -u -p -r1.42 x509.c
--- x509.c 9 May 2022 17:13:06 -0000 1.42
+++ x509.c 10 May 2022 08:31:03 -0000
@@ -182,15 +182,22 @@ out:
enum cert_purpose
x509_get_purpose(X509 *x, const char *fn)
{
+ BASIC_CONSTRAINTS *bc = NULL;
EXTENDED_KEY_USAGE *eku = NULL;
int crit;
- enum cert_purpose purpose = 0;
+ enum cert_purpose purpose = CERT_PURPOSE_INVALID;
if (X509_check_ca(x) == 1) {
purpose = CERT_PURPOSE_CA;
goto out;
}
+ bc = X509_get_ext_d2i(x, NID_basic_constraints, &crit, NULL);
+ if (bc != NULL) {
+ warnx("%s: Basic Constraints ext in CA:FALSE cert", fn);
+ goto out;
+ }
+
eku = X509_get_ext_d2i(x, NID_ext_key_usage, &crit, NULL);
if (eku == NULL) {
warnx("%s: EKU: extension missing", fn);
@@ -212,6 +219,7 @@ x509_get_purpose(X509 *x, const char *fn
}
out:
+ BASIC_CONSTRAINTS_free(bc);
EXTENDED_KEY_USAGE_free(eku);
return purpose;
}
