Give an error when using BR policy OIDs when it's not a certificate f…

…or server authentication
kroeckx · Mar 31, 2019 · 4b596b1 · 4b596b1
1 parent 9ea7ba6
commit 4b596b1
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 1 deletion.
diff --git a/checks.c b/checks.c
@@ -890,6 +890,14 @@ static void CheckPolicy(X509 *x509, CertType type, X509_NAME *subject)
 			SetError(ERR_NAME_NO_IV_POLICY);
 		}
 	}
+	else
+	{
+		if (DomainValidated || IndividualValidated || CabIVPresent)
+		{
+			SetError(ERR_POLICY_BR);
+		}
+	}
+
 
 	if (!bPolicyFound && type == SubscriberCertificate)
 	{

diff --git a/checks.h b/checks.h
@@ -93,7 +93,8 @@ typedef enum { PEM, DER } CertFormat;
 #define ERR_DOMAINCOMPONENT_SIZE              83
 #define ERR_UNSTRUCTUREDNAME_SIZE             84
 #define ERR_TELETEX_WITH_ESCAPE               85
-#define MAX_ERR                               ERR_TELETEX_WITH_ESCAPE
+#define ERR_POLICY_BR                         86
+#define MAX_ERR                               ERR_POLICY_BR
 
 /* This violates a SHOULD (or MUST with exception that can't be checked) */
 #define WARN_NON_PRINTABLE_STRING      0

diff --git a/messages.c b/messages.c
@@ -112,6 +112,7 @@ static const char *error_strings[] =
 	"E: Invalid length of domainComponent", /* ERR_DOMAINCOMPONENT_SIZE */
 	"E: Invalid length of unstructuredName", /* ERR_UNSTRUCTUREDNAME_SIZE */
 	"E: Teletex string with an escape sequence", /* ERR_TELETEX_WITH_ESCAPE */
+	"E: Baseline Requirements policy present for non server authentication certificate", /* ERR_POLICY_BR */
 };
 
 static const char *warning_strings[] = {