svn rev #24313: trunk/src/plugins/preauth/pkinit/
ghudson@MIT.EDU
ghudson at MIT.EDU
Wed Sep 15 13:10:05 EDT 2010
http://src.mit.edu/fisheye/changelog/krb5/?cs=24313
Commit By: ghudson
Log Message:
ticket: 6775
In the PKINIT OpenSSL code, ensure that appropriate cerficiate fields
have been set before using ku_reject. Patch from nalin at redhat.com.
Changed Files:
U trunk/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
Modified: trunk/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
===================================================================
--- trunk/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c 2010-09-15 17:06:43 UTC (rev 24312)
+++ trunk/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c 2010-09-15 17:10:05 UTC (rev 24313)
@@ -2005,6 +2005,7 @@
pkiDebug("%s: found acceptable EKU, checking for digitalSignature\n", __FUNCTION__);
/* check that digitalSignature KeyUsage is present */
+ X509_check_ca(reqctx->received_cert);
if ((usage = X509_get_ext_d2i(reqctx->received_cert,
NID_key_usage, NULL, NULL))) {
@@ -4551,6 +4552,7 @@
}
/* Make sure usage exists before checking bits */
+ X509_check_ca(x);
usage = X509_get_ext_d2i(x, NID_key_usage, NULL, NULL);
if (usage) {
if (!ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE))
More information about the cvs-krb5
mailing list