Check for keyCertSign on non-CA certificates during validation

GH #1089
author: Jack Lloyd <[email protected]> 2017-11-14 16:58:37 -0500
committer: Jack Lloyd <[email protected]> 2017-11-14 16:58:56 -0500
commit: 6ff498730653d9837af32efaa5d4298d302cec73 (patch)
tree: d3dc3aa08ba6fe903ab3181f1f15cd0cb0539a0c /src/lib/x509/x509path.cpp
parent: 583741096b47b49e067e88fbf03575cdf86e7967 (diff)
1 files changed, 14 insertions, 0 deletions
diff --git a/src/lib/x509/x509path.cpp b/src/lib/x509/x509path.cpp
index c10b15715..11bcdbb12 100644
--- a/src/lib/x509/x509path.cpp
+++ b/src/lib/x509/x509path.cpp
@@ -47,6 +47,20 @@ PKIX::check_chain(const std::vector<std::shared_ptr<const X509_Certificate>>& ce
    if(!cert_path[0]->allowed_usage(usage))
       cert_status[0].insert(Certificate_Status_Code::INVALID_USAGE);
 
+   if(cert_path[0]->is_CA_cert() == false &&
+      cert_path[0]->has_constraints(KEY_CERT_SIGN))
+      {
+      /*
+      "If the keyCertSign bit is asserted, then the cA bit in the
+      basic constraints extension (Section 4.2.1.9) MUST also be
+      asserted." - RFC 5280
+
+      We don't bother doing this check on the rest of the path since they
+      must have the cA bit asserted or the validation will fail anyway.
+      */
+      cert_status[0].insert(Certificate_Status_Code::INVALID_USAGE);
+      }
+
    for(size_t i = 0; i != cert_path.size(); ++i)
       {
       std::set<Certificate_Status_Code>& status = cert_status.at(i);
author	Jack Lloyd <[email protected]>	2017-11-14 16:58:37 -0500
committer	Jack Lloyd <[email protected]>	2017-11-14 16:58:56 -0500
commit	6ff498730653d9837af32efaa5d4298d302cec73 (patch)
tree	d3dc3aa08ba6fe903ab3181f1f15cd0cb0539a0c /src/lib/x509/x509path.cpp
parent	583741096b47b49e067e88fbf03575cdf86e7967 (diff)