Tolerate some "variations" used in some

certificates. One is a valid CA which has no basicConstraints but does have certSign keyUsage. Other is S/MIME signer with nonRepudiation but no digitalSignature.

Tolerate some "variations" used in some
certificates. One is a valid CA which has no basicConstraints but does have certSign keyUsage. Other is S/MIME signer with nonRepudiation but no digitalSignature.
8cff6331 · Dr. Stephen Henson · cd6aa710 · 8cff6331 · 8cff6331
显示空白变更内容
内联并排

Showing with 8 addition and 2 deletion

CHANGES CHANGES +4 -0

crypto/x509v3/v3_purp.c crypto/x509v3/v3_purp.c +4 -2

未找到文件。
--- a/CHANGES
+++ b/CHANGES
@@ -3,6 +3,10 @@

 Changes between 0.9.6 and 0.9.7  [xx XXX 2000]

+  *) Tolerate nonRepudiation as being valid for S/MIME signing and certSign
+     keyUsage if basicConstraints absent for a CA.
+     [Steve Henson]
+
  *) Make SMIME_write_PKCS7() write mail header values with a format that
     is more generally accepted (no spaces before the semicolon), since
     some programs can't parse those values properly otherwise.  Also make

--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -371,6 +371,8 @@ static int ca_check(const X509 *x)
 		else return 0;
 	} else {
 		if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3;
+		/* If key usage present it must have certSign so tolerate it */
+		else if (x->ex_flags & EXFLAG_KUSAGE) return 3;
 		else return 2;
 	}
 }
@@ -455,7 +457,7 @@ static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int c
 	int ret;
 	ret = purpose_smime(x, ca);
 	if(!ret || ca) return ret;
-	if(ku_reject(x, KU_DIGITAL_SIGNATURE)) return 0;
+	if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_NON_REPUDIATION)) return 0;
 	return ret;
 }