Skip to content
Snippets Groups Projects
Commit 3f1bddc5 authored by Martin Nilsson's avatar Martin Nilsson
Browse files

Improve the API a bit by having ext_basicConstraints_pathLenConstraint be the...

Improve the API a bit by having ext_basicConstraints_pathLenConstraint be the number of following certificates, instead of only intermediate certificates.
parent ba33983f
Branches
Tags
No related merge requests found
...@@ -868,10 +868,13 @@ class TBSCertificate ...@@ -868,10 +868,13 @@ class TBSCertificate
//! sign other certificates. //! sign other certificates.
int(0..1) ext_basicConstraints_cA; int(0..1) ext_basicConstraints_cA;
//! The maximum number of intermediate certificates that may follow //! The maximum number of certificates that may follow this
//! this certificate in a certificate chain. @exp{-1@} in case no //! certificate in a certificate chain. @exp{0@} in case no limit is
//! limit is imposed. //! imposed. Note that this variable is off by one compared to the
int ext_basicConstraints_pathLenConstraint = -1; //! RFC 3280 definition, which only counts intermediate certificates
//! (i.e. 0 intermediates means this variable would be 1, as in one
//! following certificate).
int ext_basicConstraints_pathLenConstraint;
protected int(0..1) parse_basicConstraints(Object o) protected int(0..1) parse_basicConstraints(Object o)
{ {
...@@ -888,7 +891,7 @@ class TBSCertificate ...@@ -888,7 +891,7 @@ class TBSCertificate
{ {
if( s[1]->type_name!="INTEGER" || s[0]->value==0 || s[1]->value<0 ) if( s[1]->type_name!="INTEGER" || s[0]->value==0 || s[1]->value<0 )
return 0; return 0;
ext_basicConstraints_pathLenConstraint = s[1]->value; ext_basicConstraints_pathLenConstraint = s[1]->value + 1;
// FIXME: pathLenConstraint is not permitted if keyCertSign // FIXME: pathLenConstraint is not permitted if keyCertSign
// isn't set in key usage. // isn't set in key usage.
} }
...@@ -1491,13 +1494,10 @@ mapping verify_certificate_chain(array(string) cert_chain, ...@@ -1491,13 +1494,10 @@ mapping verify_certificate_chain(array(string) cert_chain,
if( !tbs->ext_basicConstraints_cA ) if( !tbs->ext_basicConstraints_cA )
ERROR(CERT_UNAUTHORIZED_CA); ERROR(CERT_UNAUTHORIZED_CA);
if( tbs->ext_basicConstraints_pathLenConstraint!=-1 ) if( tbs->ext_basicConstraints_pathLenConstraint )
{ {
// pathLenConstraint is the maximum number of intermediate // len-1-idx is the number of following certificates.
// certificates. len-1-idx is the number of following if( len-1-idx > tbs->ext_basicConstraints_pathLenConstraint )
// certificates. Subtract one more to not count the leaf
// certificate.
if( len-1-idx-1 > tbs->ext_basicConstraints_pathLenConstraint )
{ {
// The error was later in the chain though, so maybe a // The error was later in the chain though, so maybe a
// different error should be sent. // different error should be sent.
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment