Add a note that we are ignoring PKIX requirements here

Pointed out by Mario Korth
author: Jack Lloyd <[email protected]> 2020-06-09 12:30:04 -0400
committer: Jack Lloyd <[email protected]> 2020-06-13 15:14:52 -0400
commit: 0349b99244b9cea4098f625e4dcf1d0f10163141 (patch)
tree: 9fd3206271ed43d01571ac6e3223872b5ef4462c /src/lib/x509
parent: ceadc89d756b8a5ddfbb297b190d72a6b940e912 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/src/lib/x509/x509cert.cpp b/src/lib/x509/x509cert.cpp
index 579613c5d..919d31552 100644
--- a/src/lib/x509/x509cert.cpp
+++ b/src/lib/x509/x509cert.cpp
@@ -240,6 +240,13 @@ std::unique_ptr<X509_Certificate_Data> parse_x509_cert_body(const X509_Object& o
       {
       if(ext->get_is_ca() == true)
          {
+         /*
+         * RFC 5280 section 4.2.1.3 requires that CAs include KeyUsage in all
+         * intermediate CA certificates they issue. Currently we accept it being
+         * missing, as do most other implementations. But it may be worth
+         * removing this entirely, or alternately adding a warning level
+         * validation failure for it.
+         */
          if(data->m_key_constraints == NO_CONSTRAINTS ||
             (data->m_key_constraints & KEY_CERT_SIGN))
             {
author	Jack Lloyd <[email protected]>	2020-06-09 12:30:04 -0400
committer	Jack Lloyd <[email protected]>	2020-06-13 15:14:52 -0400
commit	0349b99244b9cea4098f625e4dcf1d0f10163141 (patch)
tree	9fd3206271ed43d01571ac6e3223872b5ef4462c /src/lib/x509
parent	ceadc89d756b8a5ddfbb297b190d72a6b940e912 (diff)