Restore ability to use v1 CA if trusted locally
diff --git a/library/x509_crt.c b/library/x509_crt.c
index c5f7f70..6f72661 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -1589,17 +1589,25 @@
* Return 0 if yes, -1 if not.
*/
static int x509_crt_check_parent( const x509_crt *child,
- const x509_crt *parent )
+ const x509_crt *parent,
+ int top )
{
- if( parent->version == 0 ||
- parent->ca_istrue == 0 ||
- child->issuer_raw.len != parent->subject_raw.len ||
+ /* Parent must be the issuer */
+ if( child->issuer_raw.len != parent->subject_raw.len ||
memcmp( child->issuer_raw.p, parent->subject_raw.p,
child->issuer_raw.len ) != 0 )
{
return( -1 );
}
+ /* Parent must have the basicConstraints CA bit set.
+ * Exception: v1/v2 certificates that are locally trusted. */
+ if( parent->ca_istrue == 0 &&
+ ! ( top && parent->version < 3 ) )
+ {
+ return( -1 );
+ }
+
#if defined(POLARSSL_X509_CHECK_KEY_USAGE)
if( x509_crt_check_key_usage( parent, KU_KEY_CERT_SIGN ) != 0 )
return( -1 );
@@ -1643,7 +1651,7 @@
for( /* trust_ca */ ; trust_ca != NULL; trust_ca = trust_ca->next )
{
- if( x509_crt_check_parent( child, trust_ca ) != 0 )
+ if( x509_crt_check_parent( child, trust_ca, 1 ) != 0 )
continue;
/*
@@ -1770,7 +1778,7 @@
grandparent != NULL;
grandparent = grandparent->next )
{
- if( x509_crt_check_parent( parent, grandparent ) == 0 )
+ if( x509_crt_check_parent( parent, grandparent, 0 ) == 0 )
break;
}
@@ -1872,7 +1880,7 @@
/* Look for a parent upwards the chain */
for( parent = crt->next; parent != NULL; parent = parent->next )
{
- if( x509_crt_check_parent( crt, parent ) == 0 )
+ if( x509_crt_check_parent( crt, parent, 0 ) == 0 )
break;
}