提交 8cff6331 编写于 作者: D Dr. Stephen Henson

Tolerate some "variations" used in some

certificates.

One is a valid CA which has no basicConstraints
but does have certSign keyUsage.

Other is S/MIME signer with nonRepudiation but
no digitalSignature.
上级 cd6aa710
......@@ -3,6 +3,10 @@
Changes between 0.9.6 and 0.9.7 [xx XXX 2000]
*) Tolerate nonRepudiation as being valid for S/MIME signing and certSign
keyUsage if basicConstraints absent for a CA.
[Steve Henson]
*) Make SMIME_write_PKCS7() write mail header values with a format that
is more generally accepted (no spaces before the semicolon), since
some programs can't parse those values properly otherwise. Also make
......
......@@ -371,6 +371,8 @@ static int ca_check(const X509 *x)
else return 0;
} else {
if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3;
/* If key usage present it must have certSign so tolerate it */
else if (x->ex_flags & EXFLAG_KUSAGE) return 3;
else return 2;
}
}
......@@ -389,7 +391,7 @@ static int check_ssl_ca(const X509 *x)
if(ca_ret != 2) return ca_ret;
else return 0;
}
static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca)
{
......@@ -455,7 +457,7 @@ static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int c
int ret;
ret = purpose_smime(x, ca);
if(!ret || ca) return ret;
if(ku_reject(x, KU_DIGITAL_SIGNATURE)) return 0;
if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_NON_REPUDIATION)) return 0;
return ret;
}
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册