diff options
author | Stef Walter <stefw@gnome.org> | 2013-01-03 11:07:47 +0100 |
---|---|---|
committer | Stef Walter <stefw@gnome.org> | 2013-02-05 14:54:53 +0100 |
commit | 8b02ff64b30311a4730b60dd72590435f56fb3a2 (patch) | |
tree | 20afcc494e8fd9032f9c3a94b27a316848b8728f /common | |
parent | 18bb2582c32f4373f7ed85894fb490f2733cb03b (diff) |
Fill in certificate authority and trust data correctly
* Fill in CKA_CERTIFICATE_CATEGORY properly for authorities
based on the presence of BasicConstraints and/or v1 certificates
* Fill in CKA_TRUSTED and CKA_X_DISTRUSTED based on whether the
parser is running for anchors or blacklist
* In addition support the concept of blacklisted certificates mixed
in with the anchors (without any purposes) since that's what exists
in the real world.
* We do this after the various hooks have had a chance to mess
with the certificate extensions and such.
Diffstat (limited to 'common')
-rw-r--r-- | common/oid.h | 9 |
1 files changed, 4 insertions, 5 deletions
diff --git a/common/oid.h b/common/oid.h index b0c8538..181539a 100644 --- a/common/oid.h +++ b/common/oid.h @@ -105,8 +105,7 @@ static const unsigned char P11_OID_EXTENDED_KEY_USAGE[] = * The normal X.509 model is to only *include* the extended key * usages that are to be allowed (ie: a whitelist). It's not clear * exactly how valid and useful the reject per extended key usage - * model is. In fact, it appears that openssl does not use this - * information. + * model is. * * However in order to parse openssl trust policy information and * be able to write it back out in the same way, we define a custom @@ -196,10 +195,10 @@ static const unsigned char P11_OID_TIME_STAMPING[] = * be a place holder when no other purposes are defined. * * In theory such a certificate should be blacklisted. But in reality - * OpenSSL supports such empty sets of purposes. RFC 5280 requires at - * least one purpose in an ExtendedKeyUsage. + * many implementations use such empty sets of purposes. RFC 5280 requires + * at least one purpose in an ExtendedKeyUsage. * - * This purpose should never be used or checked. + * Obviously this purpose should never be checked against. */ static const unsigned char P11_OID_RESERVED_PURPOSE[] = { 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x99, 0x77, 0x06, 0x0a, 0x10 }; |