aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/cert/x509/x509path.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/cert/x509/x509path.cpp')
-rw-r--r--src/lib/cert/x509/x509path.cpp60
1 files changed, 6 insertions, 54 deletions
diff --git a/src/lib/cert/x509/x509path.cpp b/src/lib/cert/x509/x509path.cpp
index dd9df6f51..436e27d39 100644
--- a/src/lib/cert/x509/x509path.cpp
+++ b/src/lib/cert/x509/x509path.cpp
@@ -113,7 +113,6 @@ check_chain(const std::vector<X509_Certificate>& cert_path,
// Check issuer constraints
- // Don't require CA bit set on self-signed end entity cert
if(!issuer.is_CA_cert() && !self_signed_ee_cert)
status.insert(Certificate_Status_Code::CA_CERT_NOT_FOR_CERT_ISSUER);
@@ -142,60 +141,11 @@ check_chain(const std::vector<X509_Certificate>& cert_path,
status.insert(Certificate_Status_Code::UNTRUSTED_HASH);
}
- const NameConstraints& name_constr = issuer.name_constraints();
-
- if(!name_constr.permitted().empty() || !name_constr.excluded().empty())
+ // Check cert extensions
+ Extensions extensions = subject.v3_extensions();
+ for(auto& extension : extensions.extensions())
{
- if(!issuer.is_CA_cert() || !issuer.is_critical("X509v3.NameConstraints"))
- cert_status.at(i).insert(Certificate_Status_Code::NAME_CONSTRAINT_ERROR);
-
- // Check that all subordinate certs pass the name constraint
- for(size_t j = 0; j <= i; ++j)
- {
- if(i == j && at_self_signed_root)
- continue;
-
- bool permitted = name_constr.permitted().empty();
- bool failed = false;
-
- for(auto c: name_constr.permitted())
- {
- switch(c.base().matches(cert_path.at(j)))
- {
- case GeneralName::MatchResult::NotFound:
- case GeneralName::MatchResult::All:
- permitted = true;
- break;
- case GeneralName::MatchResult::UnknownType:
- failed = issuer.is_critical("X509v3.NameConstraints");
- permitted = true;
- break;
- default:
- break;
- }
- }
-
- for(auto c: name_constr.excluded())
- {
- switch(c.base().matches(cert_path.at(j)))
- {
- case GeneralName::MatchResult::All:
- case GeneralName::MatchResult::Some:
- failed = true;
- break;
- case GeneralName::MatchResult::UnknownType:
- failed = issuer.is_critical("X509v3.NameConstraints");
- break;
- default:
- break;
- }
- }
-
- if(failed || !permitted)
- {
- cert_status.at(j).insert(Certificate_Status_Code::NAME_CONSTRAINT_ERROR);
- }
- }
+ extension.first->validate(subject, issuer, cert_path, cert_status, i);
}
}
@@ -472,6 +422,8 @@ const char* Path_Validation_Result::status_string(Certificate_Status_Code code)
return "Certificate does not match provided name";
case Certificate_Status_Code::NAME_CONSTRAINT_ERROR:
return "Certificate does not pass name constraint";
+ case Certificate_Status_Code::UNKNOWN_CRITICAL_EXTENSION:
+ return "Unknown critical extension encountered";
case Certificate_Status_Code::CERT_IS_REVOKED:
return "Certificate is revoked";