diff options
author | thekuwayama <thekuwayama@gmail.com> | 2019-11-19 14:54:05 +0900 |
---|---|---|
committer | Samuel Williams <samuel.williams@oriontransfer.co.nz> | 2019-11-19 18:11:11 +0900 |
commit | 7498a910d09f6a1299ddfa760ed45d1dee193f4c (patch) | |
tree | 529b407e8a3b03758d5a74fd6f65b278ebc5e716 | |
parent | 531782c0dc1e0246ed2accdc9bcd88cb217d6ce4 (diff) | |
download | ruby-openssl-7498a910d09f6a1299ddfa760ed45d1dee193f4c.tar.gz |
check AIA extension is critical
-rw-r--r-- | lib/openssl/x509.rb | 6 | ||||
-rw-r--r-- | test/test_x509cert.rb | 3 |
2 files changed, 2 insertions, 7 deletions
diff --git a/lib/openssl/x509.rb b/lib/openssl/x509.rb index 26a757bc..aa29fbe5 100644 --- a/lib/openssl/x509.rb +++ b/lib/openssl/x509.rb @@ -177,10 +177,6 @@ module OpenSSL aia_asn1 = parse_aia_asn1 return nil if aia_asn1.nil? - if aia_asn1.tag_class != :UNIVERSAL || aia_asn1.tag != ASN1::SEQUENCE - raise ASN1::ASN1Error, "invalid extension" - end - ca_issuer = aia_asn1.value.select do |authority_info_access| authority_info_access.value.first.value == "caIssuers" end @@ -210,7 +206,7 @@ module OpenSSL return nil if ext.nil? aia_asn1 = ASN1.decode(ext.value_der) - if aia_asn1.tag_class != :UNIVERSAL || aia_asn1.tag != ASN1::SEQUENCE + if ext.critical? || aia_asn1.tag_class != :UNIVERSAL || aia_asn1.tag != ASN1::SEQUENCE raise ASN1::ASN1Error, "invalid extension" end diff --git a/test/test_x509cert.rb b/test/test_x509cert.rb index 535b833a..d246622d 100644 --- a/test/test_x509cert.rb +++ b/test/test_x509cert.rb @@ -90,6 +90,7 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase ["authorityKeyIdentifier","issuer:always,keyid:always",false], ["extendedKeyUsage","clientAuth, emailProtection, codeSigning",false], ["subjectAltName","email:ee1@ruby-lang.org",false], + ["authorityInfoAccess","caIssuers;URI:http://www.example.com/caIssuers,OCSP;URI:http://www.example.com/ocsp",false], ] ee1_cert = issue_cert(@ee1, @rsa1024, 2, ee1_exts, ca_cert, @rsa2048) assert_equal(ca_cert.subject.to_der, ee1_cert.issuer.to_der) @@ -98,8 +99,6 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase assert_equal(ee1_exts[i].last, ext.critical?) } assert_nil(ee1_cert.crl_uris) - assert_nil(ee1_cert.ca_issuer_uris) - assert_nil(ee1_cert.ocsp_uris) ef = OpenSSL::X509::ExtensionFactory.new ef.config = OpenSSL::Config.parse(<<~_cnf_) |