From 4bcc98813080a3dabb94e31e974a6f74a81b2125 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Wed, 15 Sep 2010 17:10:05 +0000 Subject: [PATCH] In the PKINIT OpenSSL code, ensure that appropriate cerficiate fields have been set before using ku_reject. Patch from nalin@redhat.com. ticket: 6775 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24313 dc483132-0cff-0310-8789-dd5450dbe970 --- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c index c1d87c8ca..a109a6797 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -2005,6 +2005,7 @@ crypto_check_cert_eku(krb5_context context, pkiDebug("%s: found acceptable EKU, checking for digitalSignature\n", __FUNCTION__); /* check that digitalSignature KeyUsage is present */ + X509_check_ca(reqctx->received_cert); if ((usage = X509_get_ext_d2i(reqctx->received_cert, NID_key_usage, NULL, NULL))) { @@ -4551,6 +4552,7 @@ check_kus: } /* Make sure usage exists before checking bits */ + X509_check_ca(x); usage = X509_get_ext_d2i(x, NID_key_usage, NULL, NULL); if (usage) { if (!ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE)) -- 2.26.2