Tolerate some "variations" used in some

certificates.

One is a valid CA which has no basicConstraints
but does have certSign keyUsage.

Other is S/MIME signer with nonRepudiation but
no digitalSignature.

diff --git a/CHANGES b/CHANGES
index 43eb9418deead2417a9ce21353c39c935aeaf70d..44720ffcbb05453cccca6677b037cd89386e34bd 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,10 @@
 
  Changes between 0.9.6 and 0.9.6a  [xx XXX 2000]
 
+  *) Tolerate nonRepudiation as being valid for S/MIME signing and certSign
+     keyUsage if basicConstraints absent for a CA.
+     [Steve Henson]
+
   *) Make SMIME_write_PKCS7() write mail header values with a format that
      is more generally accepted (no spaces before the semicolon), since
      some programs can't parse those values properly otherwise.  Also make

diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index 867699b26f3a6c30442587897c1e41b1d3546414..8aecd00e632591a252d7a0efe4839b9d93271e73 100644 (file)
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -362,6 +362,8 @@ static int ca_check(const X509 *x)
                else return 0;
        } else {
                if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3;
+               /* If key usage present it must have certSign so tolerate it */
+               else if (x->ex_flags & EXFLAG_KUSAGE) return 3;
                else return 2;
        }
 }
@@ -380,7 +382,7 @@ static int check_ssl_ca(const X509 *x)
        if(ca_ret != 2) return ca_ret;
        else return 0;
 }
-       
+
 
 static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca)
 {
@@ -446,7 +448,7 @@ static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int c
        int ret;
        ret = purpose_smime(x, ca);
        if(!ret || ca) return ret;
-       if(ku_reject(x, KU_DIGITAL_SIGNATURE)) return 0;
+       if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_NON_REPUDIATION)) return 0;
        return ret;
 }