From 8b02ff64b30311a4730b60dd72590435f56fb3a2 Mon Sep 17 00:00:00 2001 From: Stef Walter Date: Thu, 3 Jan 2013 11:07:47 +0100 Subject: Fill in certificate authority and trust data correctly * Fill in CKA_CERTIFICATE_CATEGORY properly for authorities based on the presence of BasicConstraints and/or v1 certificates * Fill in CKA_TRUSTED and CKA_X_DISTRUSTED based on whether the parser is running for anchors or blacklist * In addition support the concept of blacklisted certificates mixed in with the anchors (without any purposes) since that's what exists in the real world. * We do this after the various hooks have had a chance to mess with the certificate extensions and such. --- common/oid.h | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) (limited to 'common') diff --git a/common/oid.h b/common/oid.h index b0c8538..181539a 100644 --- a/common/oid.h +++ b/common/oid.h @@ -105,8 +105,7 @@ static const unsigned char P11_OID_EXTENDED_KEY_USAGE[] = * The normal X.509 model is to only *include* the extended key * usages that are to be allowed (ie: a whitelist). It's not clear * exactly how valid and useful the reject per extended key usage - * model is. In fact, it appears that openssl does not use this - * information. + * model is. * * However in order to parse openssl trust policy information and * be able to write it back out in the same way, we define a custom @@ -196,10 +195,10 @@ static const unsigned char P11_OID_TIME_STAMPING[] = * be a place holder when no other purposes are defined. * * In theory such a certificate should be blacklisted. But in reality - * OpenSSL supports such empty sets of purposes. RFC 5280 requires at - * least one purpose in an ExtendedKeyUsage. + * many implementations use such empty sets of purposes. RFC 5280 requires + * at least one purpose in an ExtendedKeyUsage. * - * This purpose should never be used or checked. + * Obviously this purpose should never be checked against. */ static const unsigned char P11_OID_RESERVED_PURPOSE[] = { 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x99, 0x77, 0x06, 0x0a, 0x10 }; -- cgit v1.1