In the PKINIT OpenSSL code, ensure that appropriate cerficiate fields
authorGreg Hudson <ghudson@mit.edu>
Wed, 15 Sep 2010 17:10:05 +0000 (17:10 +0000)
committerGreg Hudson <ghudson@mit.edu>
Wed, 15 Sep 2010 17:10:05 +0000 (17:10 +0000)
have been set before using ku_reject.  Patch from nalin@redhat.com.

ticket: 6775

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24313 dc483132-0cff-0310-8789-dd5450dbe970

src/plugins/preauth/pkinit/pkinit_crypto_openssl.c

index c1d87c8ca98e724f68dd065afe8d7e4333b621ec..a109a6797ab79c097bfdded3f2315aab8fd42eb4 100644 (file)
@@ -2005,6 +2005,7 @@ crypto_check_cert_eku(krb5_context context,
             pkiDebug("%s: found acceptable EKU, checking for digitalSignature\n", __FUNCTION__);
 
             /* check that digitalSignature KeyUsage is present */
+            X509_check_ca(reqctx->received_cert);
             if ((usage = X509_get_ext_d2i(reqctx->received_cert,
                                           NID_key_usage, NULL, NULL))) {
 
@@ -4551,6 +4552,7 @@ check_kus:
     }
 
     /* Make sure usage exists before checking bits */
+    X509_check_ca(x);
     usage = X509_get_ext_d2i(x, NID_key_usage, NULL, NULL);
     if (usage) {
         if (!ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE))