openssl/crypto/x509
Dr. David von Oheimb 0b670a2101 x509_vfy.c: Improve key usage checks in internal_verify() of cert chains
If a presumably self-signed cert is last in chain we verify its signature
only if X509_V_FLAG_CHECK_SS_SIGNATURE is set. Upon this request we do the
signature verification, but not in case it is a (non-conforming) self-issued
CA certificate with a key usage extension that does not include keyCertSign.

Make clear when we must verify the signature of a certificate
and when we must adhere to key usage restrictions of the 'issuing' cert.
Add some comments for making internal_verify() easier to understand.
Update the documentation of X509_V_FLAG_CHECK_SS_SIGNATURE accordingly.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12375)
2020-07-16 15:48:53 +02:00
..
build.info
by_dir.c In OpenSSL builds, declare STACK for datatypes ... 2020-04-24 16:42:46 +02:00
by_file.c Update copyright year 2020-05-15 14:09:49 +01:00
by_store.c In OpenSSL builds, declare STACK for datatypes ... 2020-04-24 16:42:46 +02:00
ext_dat.h
pcy_cache.c Update copyright year 2020-05-15 14:09:49 +01:00
pcy_data.c Update copyright year 2020-05-15 14:09:49 +01:00
pcy_lib.c In OpenSSL builds, declare STACK for datatypes ... 2020-04-24 16:42:46 +02:00
pcy_local.h
pcy_map.c Update copyright year 2020-05-15 14:09:49 +01:00
pcy_node.c Update copyright year 2020-05-15 14:09:49 +01:00
pcy_tree.c Update copyright year 2020-05-15 14:09:49 +01:00
standard_exts.h
t_crl.c Update copyright year 2020-05-15 14:09:49 +01:00
t_req.c Update copyright year 2020-05-15 14:09:49 +01:00
t_x509.c Constify X509_check_akid and prefer using X509_get0_serialNumber over X509_get_serialNumber 2020-07-16 15:48:53 +02:00
v3_addr.c Update copyright year 2020-05-15 14:09:49 +01:00
v3_admis.c Update copyright year 2020-05-15 14:09:49 +01:00
v3_admis.h
v3_akey.c Constify X509_check_akid and prefer using X509_get0_serialNumber over X509_get_serialNumber 2020-07-16 15:48:53 +02:00
v3_akeya.c
v3_alt.c Adjust length of some strncpy() calls 2020-05-22 15:35:21 +02:00
v3_asid.c Update copyright year 2020-05-15 14:09:49 +01:00
v3_bcons.c Update copyright year 2020-05-15 14:09:49 +01:00
v3_bitst.c Update copyright year 2020-05-15 14:09:49 +01:00
v3_conf.c Update copyright year 2020-05-15 14:09:49 +01:00
v3_cpols.c Update copyright year 2020-05-15 14:09:49 +01:00
v3_crld.c In OpenSSL builds, declare STACK for datatypes ... 2020-04-24 16:42:46 +02:00
v3_enum.c
v3_extku.c Update copyright year 2020-05-15 14:09:49 +01:00
v3_genn.c
v3_ia5.c Code cleanup in X509v3 String Extentions 2020-04-24 20:05:22 +03:00
v3_info.c Update copyright year 2020-05-15 14:09:49 +01:00
v3_int.c
v3_ist.c In OpenSSL builds, declare STACK for datatypes ... 2020-04-24 16:42:46 +02:00
v3_lib.c Update copyright year 2020-05-15 14:09:49 +01:00
v3_ncons.c Coverity 1463258: Incorrect expression (EVALUATION_ORDER) 2020-05-22 17:23:49 +10:00
v3_pci.c Update copyright year 2020-05-15 14:09:49 +01:00
v3_pcia.c
v3_pcons.c Update copyright year 2020-05-15 14:09:49 +01:00
v3_pku.c
v3_pmaps.c Update copyright year 2020-05-15 14:09:49 +01:00
v3_prn.c Update copyright year 2020-05-15 14:09:49 +01:00
v3_purp.c x509_vfy.c: Improve key usage checks in internal_verify() of cert chains 2020-07-16 15:48:53 +02:00
v3_skey.c
v3_sxnet.c Update copyright year 2020-05-15 14:09:49 +01:00
v3_tlsf.c Update copyright year 2020-05-15 14:09:49 +01:00
v3_utf8.c Code cleanup in X509v3 String Extentions 2020-04-24 20:05:22 +03:00
v3_utl.c Strengthen X509_STORE_CTX_print_verify_cb() to print expected host etc. 2020-05-05 10:27:28 +02:00
v3err.c
x509_att.c Update copyright year 2020-05-15 14:09:49 +01:00
x509_cmp.c Rename EVP_PKEY_cmp() to EVP_PKEY_eq() and EVP_PKEY_cmp_parameters() to EVP_PKEY_parameters_eq() 2020-05-27 14:36:13 +02:00
x509_d2.c Update copyright year 2020-06-04 14:33:57 +01:00
x509_def.c
x509_err.c Fix some places where X509_up_ref is used 2020-05-18 17:16:16 +02:00
x509_ext.c
x509_local.h Refactor (without semantic changes) crypto/x509/{v3_purp.c,x509_vfy.c} 2020-07-01 11:14:54 +02:00
x509_lu.c In OpenSSL builds, declare STACK for datatypes ... 2020-04-24 16:42:46 +02:00
x509_meth.c
x509_obj.c Update copyright year 2020-05-15 14:09:49 +01:00
x509_r2x.c In OpenSSL builds, declare STACK for datatypes ... 2020-04-24 16:42:46 +02:00
x509_req.c Rename EVP_PKEY_cmp() to EVP_PKEY_eq() and EVP_PKEY_cmp_parameters() to EVP_PKEY_parameters_eq() 2020-05-27 14:36:13 +02:00
x509_set.c Update copyright year 2020-04-23 13:55:52 +01:00
x509_trs.c In OpenSSL builds, declare STACK for datatypes ... 2020-04-24 16:42:46 +02:00
x509_txt.c Refactor (without semantic changes) crypto/x509/{v3_purp.c,x509_vfy.c} 2020-07-01 11:14:54 +02:00
x509_v3.c Update copyright year 2020-05-15 14:09:49 +01:00
x509_vfy.c x509_vfy.c: Improve key usage checks in internal_verify() of cert chains 2020-07-16 15:48:53 +02:00
x509_vpm.c Strengthen X509_STORE_CTX_print_verify_cb() to print expected host etc. 2020-05-05 10:27:28 +02:00
x509cset.c In OpenSSL builds, declare STACK for datatypes ... 2020-04-24 16:42:46 +02:00
x509name.c In OpenSSL builds, declare STACK for datatypes ... 2020-04-24 16:42:46 +02:00
x509rset.c Update copyright year 2020-04-23 13:55:52 +01:00
x509spki.c
x509type.c
x_all.c Create a libctx aware X509_verify_ex() 2020-04-16 14:19:51 +01:00
x_attrib.c Update copyright year 2020-05-15 14:09:49 +01:00
x_crl.c Constify X509_check_akid and prefer using X509_get0_serialNumber over X509_get_serialNumber 2020-07-16 15:48:53 +02:00
x_exten.c
x_name.c In OpenSSL builds, declare STACK for datatypes ... 2020-04-24 16:42:46 +02:00
x_pubkey.c Rename EVP_PKEY_cmp() to EVP_PKEY_eq() and EVP_PKEY_cmp_parameters() to EVP_PKEY_parameters_eq() 2020-05-27 14:36:13 +02:00
x_req.c In OpenSSL builds, declare STACK for datatypes ... 2020-04-24 16:42:46 +02:00
x_x509.c include/openssl/x509v3.h: restore previous stack definition arrangement 2020-04-29 06:37:10 +02:00
x_x509a.c Update copyright year 2020-05-15 14:09:49 +01:00