Skip to content
Commit 3342dcea authored by Viktor Dukhovni's avatar Viktor Dukhovni
Browse files

Reject when explicit trust EKU are set and none match.



Returning untrusted is enough for for full chains that end in
self-signed roots, because when explicit trust is specified it
suppresses the default blanket trust of self-signed objects.

But for partial chains, this is not enough, because absent a similar
trust-self-signed policy, non matching EKUs are indistinguishable
from lack of EKU constraints.

Therefore, failure to match any trusted purpose must trigger an
explicit reject.

Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
parent 3d6e91c6
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment