diff --git a/crypto/x509/x509_txt.c b/crypto/x509/x509_txt.c index 9cb6c8b73921ee5bddb188db3419bac04113b56b..53b19e46dfe286f077c1ea123924209465957384 100644 --- a/crypto/x509/x509_txt.c +++ b/crypto/x509/x509_txt.c @@ -208,6 +208,8 @@ const char *X509_verify_cert_error_string(long n) return "Subject Key Identifier marked critical"; case X509_V_ERR_CA_CERT_MISSING_KEY_USAGE: return "CA cert does not include key usage extension"; + case X509_V_ERR_EXTENSIONS_REQUIRE_VERSION_3: + return "Using cert extension requires at least X509v3"; default: /* Printing an error number into a static buffer is not thread-safe */ diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 83dae9a79bb1dddbe4b434c4d3d9e3c83f8cae70..4a067e5ff4f3e4a248cdd8abe488ea43cab85a70 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -26,6 +26,7 @@ #include "x509_local.h" DEFINE_STACK_OF(X509) +DEFINE_STACK_OF(X509_EXTENSION) DEFINE_STACK_OF(X509_REVOKED) DEFINE_STACK_OF(GENERAL_NAME) DEFINE_STACK_OF(X509_CRL) @@ -585,6 +586,9 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) /* Check SKID presence acc. to RFC 5280 section 4.2.1.2 */ if ((x->ex_flags & EXFLAG_CA) != 0 && x->skid == NULL) ctx->error = X509_V_ERR_MISSING_SUBJECT_KEY_IDENTIFIER; + } else { + if (sk_X509_EXTENSION_num(X509_get0_extensions(x)) > 0) + ctx->error = X509_V_ERR_EXTENSIONS_REQUIRE_VERSION_3; } } if (ctx->error != X509_V_OK) diff --git a/include/openssl/x509_vfy.h b/include/openssl/x509_vfy.h index 50ae14f240e429f29aa089df769ae7e7b2f74073..d43a442fc7a75b4a065618015af69b8946fb5416 100644 --- a/include/openssl/x509_vfy.h +++ b/include/openssl/x509_vfy.h @@ -233,6 +233,7 @@ X509_LOOKUP_ctrl_with_libctx((x), X509_L_ADD_STORE, (name), 0, NULL, \ # define X509_V_ERR_AUTHORITY_KEY_IDENTIFIER_CRITICAL 90 # define X509_V_ERR_SUBJECT_KEY_IDENTIFIER_CRITICAL 91 # define X509_V_ERR_CA_CERT_MISSING_KEY_USAGE 92 +# define X509_V_ERR_EXTENSIONS_REQUIRE_VERSION_3 93 /* Certificate verify flags */ # ifndef OPENSSL_NO_DEPRECATED_1_1_0