boringssl/crypto/x509
Adam Langley 8bd1d07535 Require basicConstraints cA flag in intermediate certs.
OpenSSL 1.0.2 (and thus BoringSSL) accepts keyUsage certSign or a
Netscape CA certificate-type in lieu of basicConstraints in an
intermediate certificate (unless X509_V_FLAG_X509_STRICT) is set.

Update-Note: This change tightens the code so that basicConstraints is required for intermediate certificates when verifying chains. This was previously only enabled if X509_V_FLAG_X509_STRICT was set, but that flag also has other effects.

Change-Id: I9e41f4c567084cf30ed08f015a744959982940af
Reviewed-on: https://boringssl-review.googlesource.com/30185
Reviewed-by: Matt Braithwaite <mab@google.com>
2018-08-01 19:10:19 +00:00
..
a_digest.c OpenSSL reformat x509/, x509v3/, pem/ and asn1/. 2016-01-19 17:01:51 +00:00
a_sign.c Remove redundant calls to |OPENSSL_cleanse| and |OPENSSL_realloc_clean|. 2017-09-18 19:16:51 +00:00
a_strex.c Use new encoding functions in ASN1_mbstring_ncopy. 2018-05-11 21:58:47 +00:00
a_verify.c Remove redundant calls to |OPENSSL_cleanse| and |OPENSSL_realloc_clean|. 2017-09-18 19:16:51 +00:00
algorithm.c Align EVP_PKEY Ed25519 API with upstream. 2017-06-12 12:04:11 +00:00
asn1_gen.c Sync asn1_gen.c with upstream 1.0.2. 2017-07-05 21:37:08 +00:00
by_dir.c Remove files from Trusty which can't link because of Trusty libc. 2018-04-19 19:06:58 +00:00
by_file.c Unexport more of lhash. 2017-10-25 04:17:18 +00:00
charmap.h OpenSSL reformat x509/, x509v3/, pem/ and asn1/. 2016-01-19 17:01:51 +00:00
CMakeLists.txt Delete some dead code from crypto/x509. 2017-06-09 19:58:08 +00:00
i2d_pr.c Slightly simplify and deprecate i2d_{Public,Private}Key. 2016-02-17 16:31:26 +00:00
internal.h Align EVP_PKEY Ed25519 API with upstream. 2017-06-12 12:04:11 +00:00
make_many_constraints.go Fix some issues with name constraints test certs. 2017-09-20 21:06:00 +00:00
many_constraints.pem Fix some issues with name constraints test certs. 2017-09-20 21:06:00 +00:00
many_names1.pem Fix some issues with name constraints test certs. 2017-09-20 21:06:00 +00:00
many_names2.pem Fix some issues with name constraints test certs. 2017-09-20 21:06:00 +00:00
many_names3.pem Fix some issues with name constraints test certs. 2017-09-20 21:06:00 +00:00
rsa_pss.c Align EVP_PKEY Ed25519 API with upstream. 2017-06-12 12:04:11 +00:00
some_names1.pem Fix some issues with name constraints test certs. 2017-09-20 21:06:00 +00:00
some_names2.pem Fix some issues with name constraints test certs. 2017-09-20 21:06:00 +00:00
some_names3.pem Fix some issues with name constraints test certs. 2017-09-20 21:06:00 +00:00
t_crl.c OpenSSL reformat x509/, x509v3/, pem/ and asn1/. 2016-01-19 17:01:51 +00:00
t_req.c Remove the func parameter to OPENSSL_PUT_ERROR. 2015-07-16 02:02:37 +00:00
t_x509.c Switch OPENSSL_VERSION_NUMBER to 1.1.0. 2017-09-29 04:51:27 +00:00
t_x509a.c OpenSSL reformat x509/, x509v3/, pem/ and asn1/. 2016-01-19 17:01:51 +00:00
vpm_int.h Tighten and test name-checking functions. 2018-03-30 16:50:11 +00:00
x509_att.c Fix an error path leak in int X509_ATTRIBUTE_set1_data() 2016-07-26 19:53:44 +00:00
x509_cmp.c Add PKCS12_create. 2018-05-11 21:59:34 +00:00
x509_d2.c OpenSSL reformat x509/, x509v3/, pem/ and asn1/. 2016-01-19 17:01:51 +00:00
x509_def.c Update location of root certificates on Fuchsia 2018-04-25 21:32:20 +00:00
x509_ext.c OpenSSL reformat x509/, x509v3/, pem/ and asn1/. 2016-01-19 17:01:51 +00:00
x509_lu.c Add a bunch of X509_STORE getters and setters. 2018-05-11 21:59:58 +00:00
x509_obj.c Unexport more of lhash. 2017-10-25 04:17:18 +00:00
x509_r2x.c Fix a few leaks in X509_REQ_to_X509. 2016-09-09 20:17:16 +00:00
x509_req.c Add some OpenSSL compatibility functions and hacks. 2018-05-08 01:22:04 +00:00
x509_set.c Add some OpenSSL compatibility functions and hacks. 2018-05-08 01:22:04 +00:00
x509_test.cc Require basicConstraints cA flag in intermediate certs. 2018-08-01 19:10:19 +00:00
x509_time_test.cc Make X509 time validation stricter. 2018-06-25 17:54:33 +00:00
x509_trs.c Avoid modifying stack in sk_find. 2018-04-12 21:02:12 +00:00
x509_txt.c Unexport more of lhash. 2017-10-25 04:17:18 +00:00
x509_v3.c OpenSSL reformat x509/, x509v3/, pem/ and asn1/. 2016-01-19 17:01:51 +00:00
x509_vfy.c Require basicConstraints cA flag in intermediate certs. 2018-08-01 19:10:19 +00:00
x509_vpm.c Avoid modifying stack in sk_find. 2018-04-12 21:02:12 +00:00
x509.c Align with upstream's error strings, take two. 2016-03-15 16:02:12 +00:00
x509cset.c Add some OpenSSL compatibility functions and hacks. 2018-05-08 01:22:04 +00:00
x509name.c Fix bugs in X509_NAME_add_entry. 2018-05-03 17:40:43 +00:00
x509rset.c OpenSSL reformat x509/, x509v3/, pem/ and asn1/. 2016-01-19 17:01:51 +00:00
x509spki.c OpenSSL reformat x509/, x509v3/, pem/ and asn1/. 2016-01-19 17:01:51 +00:00
x_algor.c Const-correct X509_ALGOR_get0. 2017-11-22 22:52:38 +00:00
x_all.c Add BIO versions of i2d_DHparams and d2i_DHparams. 2018-05-08 23:12:15 +00:00
x_attrib.c OpenSSL reformat x509/, x509v3/, pem/ and asn1/. 2016-01-19 17:01:51 +00:00
x_crl.c Correctly find all critical CRL extensions. 2016-10-24 20:09:28 +00:00
x_exten.c OpenSSL reformat x509/, x509v3/, pem/ and asn1/. 2016-01-19 17:01:51 +00:00
x_info.c OpenSSL reformat x509/, x509v3/, pem/ and asn1/. 2016-01-19 17:01:51 +00:00
x_name.c Add X509_NAME_get0_der from OpenSSL 1.1.0. 2017-12-06 17:49:04 +00:00
x_pkey.c Work around language and compiler bug in memcpy, etc. 2016-12-21 20:34:47 +00:00
x_pubkey.c Change |EVP_PKEY_up_ref| to return int. 2016-07-12 17:55:41 +00:00
x_req.c OpenSSL reformat x509/, x509v3/, pem/ and asn1/. 2016-01-19 17:01:51 +00:00
x_sig.c OpenSSL reformat x509/, x509v3/, pem/ and asn1/. 2016-01-19 17:01:51 +00:00
x_spki.c OpenSSL reformat x509/, x509v3/, pem/ and asn1/. 2016-01-19 17:01:51 +00:00
x_val.c OpenSSL reformat x509/, x509v3/, pem/ and asn1/. 2016-01-19 17:01:51 +00:00
x_x509.c Add some OpenSSL compatibility functions and hacks. 2018-05-08 01:22:04 +00:00
x_x509a.c Delete some dead code from crypto/x509. 2017-06-09 19:58:08 +00:00