diff options
| -rw-r--r-- | NEWS | 5 | ||||
| -rw-r--r-- | lib/includes/gnutls/x509.h | 5 | ||||
| -rw-r--r-- | lib/x509/verify.c | 2 |
3 files changed, 3 insertions, 9 deletions
@@ -21,9 +21,8 @@ algorithm as well. ** libgnutls: the gnutls_handshake() process will enforce a timeout by default. -** libgnutls: the verification flag GNUTLS_REQUIRE_KEY_PURPOSE_ON_INTERMEDIATE -is introduced, and forces the application of the desired key purpose (extended -key usage) into intermediate certificates. The verification result +** libgnutls: if a key purpose (extended key usage) is specified for verification, +it is applied into intermediate certificates. The verification result GNUTLS_CERT_PURPOSE_MISMATCH is also introduced. ** libgnutls: Added support for the extended master secret diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h index 0314bbe38a..5ae554bbec 100644 --- a/lib/includes/gnutls/x509.h +++ b/lib/includes/gnutls/x509.h @@ -811,10 +811,6 @@ int gnutls_pkcs7_delete_crl(gnutls_pkcs7_t pkcs7, int indx); * using certificate revocation lists or the available OCSP data. * @GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS: When including a hostname * check in the verification, do not consider any wildcards. - * @GNUTLS_VERIFY_KEY_PURPOSE_ON_INTERMEDIATE: When verifying a certificate - * and asking for a particular key purpose, require that any intermediate certificates - * bear this key purpose as well. This is not enabled by default as this is not part - * of RFC5280, but rather is an extension of CA Forum (baseline requirements 1.1.9). * * Enumeration of different certificate verify flags. Additional * verification profiles can be set using GNUTLS_PROFILE_TO_VFLAGS() @@ -833,7 +829,6 @@ typedef enum gnutls_certificate_verify_flags { GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN = 1 << 10, GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN = 1 << 11, GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS = 1 << 12, - GNUTLS_VERIFY_KEY_PURPOSE_ON_INTERMEDIATE = 1 << 13 /* cannot exceed 2^24 due to GNUTLS_PROFILE_TO_VFLAGS() */ } gnutls_certificate_verify_flags; diff --git a/lib/x509/verify.c b/lib/x509/verify.c index 5f8d4b0205..fafaff274b 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -952,7 +952,7 @@ _gnutls_verify_crt_status(const gnutls_x509_crt_t * certificate_list, if (i - 1 < 0) break; - if (purpose != NULL && (flags & GNUTLS_VERIFY_KEY_PURPOSE_ON_INTERMEDIATE)) { + if (purpose != NULL) { ret = _gnutls_check_key_purpose(certificate_list[i], purpose, 1); if (ret != 1) { gnutls_assert(); |