diff options
Diffstat (limited to 'src/lib/x509/x509path.cpp')
| -rw-r--r-- | src/lib/x509/x509path.cpp | 21 |
1 files changed, 19 insertions, 2 deletions
diff --git a/src/lib/x509/x509path.cpp b/src/lib/x509/x509path.cpp index fcc5bf0ba..11bcdbb12 100644 --- a/src/lib/x509/x509path.cpp +++ b/src/lib/x509/x509path.cpp @@ -6,6 +6,7 @@ */ #include <botan/x509path.h> +#include <botan/x509_ext.h> #include <botan/pk_keys.h> #include <botan/ocsp.h> #include <algorithm> @@ -46,6 +47,20 @@ PKIX::check_chain(const std::vector<std::shared_ptr<const X509_Certificate>>& ce if(!cert_path[0]->allowed_usage(usage)) cert_status[0].insert(Certificate_Status_Code::INVALID_USAGE); + if(cert_path[0]->is_CA_cert() == false && + cert_path[0]->has_constraints(KEY_CERT_SIGN)) + { + /* + "If the keyCertSign bit is asserted, then the cA bit in the + basic constraints extension (Section 4.2.1.9) MUST also be + asserted." - RFC 5280 + + We don't bother doing this check on the rest of the path since they + must have the cA bit asserted or the validation will fail anyway. + */ + cert_status[0].insert(Certificate_Status_Code::INVALID_USAGE); + } + for(size_t i = 0; i != cert_path.size(); ++i) { std::set<Certificate_Status_Code>& status = cert_status.at(i); @@ -67,10 +82,10 @@ PKIX::check_chain(const std::vector<std::shared_ptr<const X509_Certificate>>& ce } // Check all certs for valid time range - if(validation_time < X509_Time(subject->start_time(), ASN1_Tag::UTC_OR_GENERALIZED_TIME)) + if(validation_time < subject->not_before()) status.insert(Certificate_Status_Code::CERT_NOT_YET_VALID); - if(validation_time > X509_Time(subject->end_time(), ASN1_Tag::UTC_OR_GENERALIZED_TIME)) + if(validation_time > subject->not_after()) status.insert(Certificate_Status_Code::CERT_HAS_EXPIRED); // Check issuer constraints @@ -495,7 +510,9 @@ PKIX::build_certificate_path(std::vector<std::shared_ptr<const X509_Certificate> const std::string fprint = issuer->fingerprint("SHA-256"); if(certs_seen.count(fprint) > 0) // already seen? + { return Certificate_Status_Code::CERT_CHAIN_LOOP; + } certs_seen.insert(fprint); cert_path.push_back(issuer); |