From 78293d1eba3ca80ef59d8e2213f6bec1eefd51f7 Mon Sep 17 00:00:00 2001 From: Martin Nilsson <nilsson@opera.com> Date: Mon, 28 Apr 2014 14:01:50 +0200 Subject: [PATCH] Verify that the signing certificates of the trusted issuers actually is allowed to sign other certificates. I'm also more than 50% sure that the wrong certificate was used from the chain. --- lib/modules/SSL.pmod/context.pike | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/lib/modules/SSL.pmod/context.pike b/lib/modules/SSL.pmod/context.pike index 79fb5c5dda..d35239467e 100644 --- a/lib/modules/SSL.pmod/context.pike +++ b/lib/modules/SSL.pmod/context.pike @@ -772,8 +772,14 @@ private void update_trusted_issuers() if(!result->verified) error("Broken trusted issuer chain!\n"); - Standards.X509.TBSCertificate cert = - Standards.X509.decode_certificate(i[-1]); + if( !tbs->ext_basicConstraints_cA || !(tbs->ext_keyUsage & keyCertSign) ) + error("Trusted issuer not allowed to sign other certificates.\n"); + + // FIXME: The pathLenConstraint does not survive the cache. + + // The leaf of the trusted issuer is the root to validate + // certificate chains against. + Standards.X509.TBSCertificate cert = result->certificates[-1]; trusted_issuers_cache[cert->subject->get_der()] = cert->public_key; } -- GitLab