diff options
Diffstat (limited to 'src/lib/cert/x509/x509path.cpp')
-rw-r--r-- | src/lib/cert/x509/x509path.cpp | 60 |
1 files changed, 6 insertions, 54 deletions
diff --git a/src/lib/cert/x509/x509path.cpp b/src/lib/cert/x509/x509path.cpp index dd9df6f51..436e27d39 100644 --- a/src/lib/cert/x509/x509path.cpp +++ b/src/lib/cert/x509/x509path.cpp @@ -113,7 +113,6 @@ check_chain(const std::vector<X509_Certificate>& cert_path, // Check issuer constraints - // Don't require CA bit set on self-signed end entity cert if(!issuer.is_CA_cert() && !self_signed_ee_cert) status.insert(Certificate_Status_Code::CA_CERT_NOT_FOR_CERT_ISSUER); @@ -142,60 +141,11 @@ check_chain(const std::vector<X509_Certificate>& cert_path, status.insert(Certificate_Status_Code::UNTRUSTED_HASH); } - const NameConstraints& name_constr = issuer.name_constraints(); - - if(!name_constr.permitted().empty() || !name_constr.excluded().empty()) + // Check cert extensions + Extensions extensions = subject.v3_extensions(); + for(auto& extension : extensions.extensions()) { - if(!issuer.is_CA_cert() || !issuer.is_critical("X509v3.NameConstraints")) - cert_status.at(i).insert(Certificate_Status_Code::NAME_CONSTRAINT_ERROR); - - // Check that all subordinate certs pass the name constraint - for(size_t j = 0; j <= i; ++j) - { - if(i == j && at_self_signed_root) - continue; - - bool permitted = name_constr.permitted().empty(); - bool failed = false; - - for(auto c: name_constr.permitted()) - { - switch(c.base().matches(cert_path.at(j))) - { - case GeneralName::MatchResult::NotFound: - case GeneralName::MatchResult::All: - permitted = true; - break; - case GeneralName::MatchResult::UnknownType: - failed = issuer.is_critical("X509v3.NameConstraints"); - permitted = true; - break; - default: - break; - } - } - - for(auto c: name_constr.excluded()) - { - switch(c.base().matches(cert_path.at(j))) - { - case GeneralName::MatchResult::All: - case GeneralName::MatchResult::Some: - failed = true; - break; - case GeneralName::MatchResult::UnknownType: - failed = issuer.is_critical("X509v3.NameConstraints"); - break; - default: - break; - } - } - - if(failed || !permitted) - { - cert_status.at(j).insert(Certificate_Status_Code::NAME_CONSTRAINT_ERROR); - } - } + extension.first->validate(subject, issuer, cert_path, cert_status, i); } } @@ -472,6 +422,8 @@ const char* Path_Validation_Result::status_string(Certificate_Status_Code code) return "Certificate does not match provided name"; case Certificate_Status_Code::NAME_CONSTRAINT_ERROR: return "Certificate does not pass name constraint"; + case Certificate_Status_Code::UNKNOWN_CRITICAL_EXTENSION: + return "Unknown critical extension encountered"; case Certificate_Status_Code::CERT_IS_REVOKED: return "Certificate is revoked"; |