mirror of
https://github.com/openbsd/src.git
synced 2026-06-17 23:03:29 +02:00
tb
1a6a13bae9
If a purpose is configured on the verify context (which it currently never is), this check would only accept certificates for which the purpose check fails. Also, this code is not currently reachable from public API since x509_verify() is only ever called with a legacy xsc set on the verify ctx, so x509_verify_ccert_extensions() takes the path returning 1 earlier. X509_check_purpose() is one of these strange legacy APIs. It returns -1 on error, 0 if the cert fails the purpose check, 1 if it passes it and values between 2 and 5 indicate various legacy garbage meaning that the cert might possibly have been fit for this purpose until around a quarter century ago. While for CA certs the checks in "No we don't care about ..." exclude return values > 1, it is still possible for the S/MIME purpose to return 2 due to a workaround for some buggy NS certs, for example. In short: anything but 1 means unfit for the purpose or at best dubious, so reject such certs. Reported by Frank Denis ok kenjiro