aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/x509/x509cert.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/x509/x509cert.cpp')
-rw-r--r--src/lib/x509/x509cert.cpp9
1 files changed, 9 insertions, 0 deletions
diff --git a/src/lib/x509/x509cert.cpp b/src/lib/x509/x509cert.cpp
index 5afbcc815..dda15835e 100644
--- a/src/lib/x509/x509cert.cpp
+++ b/src/lib/x509/x509cert.cpp
@@ -201,10 +201,13 @@ std::unique_ptr<X509_Certificate_Data> parse_x509_cert_body(const X509_Object& o
if(v3_exts_data.is_a(3, ASN1_Tag(CONSTRUCTED | CONTEXT_SPECIFIC)))
{
+ // Path validation will reject a v1/v2 cert with v3 extensions
BER_Decoder(v3_exts_data).decode(data->m_v3_extensions).verify_end();
}
else if(v3_exts_data.is_set())
+ {
throw BER_Bad_Tag("Unknown tag in X.509 cert", v3_exts_data.tagging());
+ }
// Now cache some fields from the extensions
if(auto ext = data->m_v3_extensions.get_extension_object_as<Cert_Extension::Key_Usage>())
@@ -442,11 +445,17 @@ const std::vector<uint8_t>& X509_Certificate::raw_subject_dn() const
bool X509_Certificate::is_CA_cert() const
{
+ if(data().m_version < 3 && data().m_self_signed)
+ return true;
+
return data().m_is_ca_certificate;
}
uint32_t X509_Certificate::path_limit() const
{
+ if(data().m_version < 3 && data().m_self_signed)
+ return 32; // in theory infinite, but this is more than enough
+
return static_cast<uint32_t>(data().m_path_len_constraint);
}