summaryrefslogtreecommitdiff
path: root/common
diff options
context:
space:
mode:
authorStef Walter <stefw@gnome.org>2013-01-03 11:07:47 +0100
committerStef Walter <stefw@gnome.org>2013-02-05 14:54:53 +0100
commit8b02ff64b30311a4730b60dd72590435f56fb3a2 (patch)
tree20afcc494e8fd9032f9c3a94b27a316848b8728f /common
parent18bb2582c32f4373f7ed85894fb490f2733cb03b (diff)
Fill in certificate authority and trust data correctly
* Fill in CKA_CERTIFICATE_CATEGORY properly for authorities based on the presence of BasicConstraints and/or v1 certificates * Fill in CKA_TRUSTED and CKA_X_DISTRUSTED based on whether the parser is running for anchors or blacklist * In addition support the concept of blacklisted certificates mixed in with the anchors (without any purposes) since that's what exists in the real world. * We do this after the various hooks have had a chance to mess with the certificate extensions and such.
Diffstat (limited to 'common')
-rw-r--r--common/oid.h9
1 files changed, 4 insertions, 5 deletions
diff --git a/common/oid.h b/common/oid.h
index b0c8538..181539a 100644
--- a/common/oid.h
+++ b/common/oid.h
@@ -105,8 +105,7 @@ static const unsigned char P11_OID_EXTENDED_KEY_USAGE[] =
* The normal X.509 model is to only *include* the extended key
* usages that are to be allowed (ie: a whitelist). It's not clear
* exactly how valid and useful the reject per extended key usage
- * model is. In fact, it appears that openssl does not use this
- * information.
+ * model is.
*
* However in order to parse openssl trust policy information and
* be able to write it back out in the same way, we define a custom
@@ -196,10 +195,10 @@ static const unsigned char P11_OID_TIME_STAMPING[] =
* be a place holder when no other purposes are defined.
*
* In theory such a certificate should be blacklisted. But in reality
- * OpenSSL supports such empty sets of purposes. RFC 5280 requires at
- * least one purpose in an ExtendedKeyUsage.
+ * many implementations use such empty sets of purposes. RFC 5280 requires
+ * at least one purpose in an ExtendedKeyUsage.
*
- * This purpose should never be used or checked.
+ * Obviously this purpose should never be checked against.
*/
static const unsigned char P11_OID_RESERVED_PURPOSE[] =
{ 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x99, 0x77, 0x06, 0x0a, 0x10 };