Skip to content
Snippets Groups Projects
Commit 93c5ad7c authored by Adrien Béraud's avatar Adrien Béraud
Browse files

crypto: make Certificate::isCA() more restrictive

parent 03d52e42
No related branches found
No related tags found
No related merge requests found
...@@ -373,7 +373,8 @@ struct OPENDHT_PUBLIC Certificate { ...@@ -373,7 +373,8 @@ struct OPENDHT_PUBLIC Certificate {
std::chrono::system_clock::time_point getExpiration() const; std::chrono::system_clock::time_point getExpiration() const;
/** /**
* Returns true if the certificate is marked as a Certificate Authority. * Returns true if the certificate is marked as a Certificate Authority
* and has necessary key usage flags to sign certificates.
*/ */
bool isCA() const; bool isCA() const;
......
...@@ -722,7 +722,20 @@ bool ...@@ -722,7 +722,20 @@ bool
Certificate::isCA() const Certificate::isCA() const
{ {
unsigned critical; unsigned critical;
return gnutls_x509_crt_get_ca_status(cert, &critical) > 0; bool ca_flag = gnutls_x509_crt_get_ca_status(cert, &critical) > 0;
if (ca_flag) {
unsigned usage;
auto ret = gnutls_x509_crt_get_key_usage(cert, &usage, &critical);
/* Conforming CAs MUST include this extension in certificates that
contain public keys that are used to validate digital signatures on
other public key certificates or CRLs. */
if (ret < 0)
return false;
if (not critical)
return true;
return usage & GNUTLS_KEY_KEY_CERT_SIGN;
}
return false;
} }
std::string std::string
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment