Use X509_check_ca to determine if this is a CA key. This has the side effect of actually setting ex_xkusage.diff -r1.1.2.3 -r1.1.2.4 pkgsrc/pkgtools/pkg_install/files/lib/pkcs7.c
(joerg)
@@ -1,4 +1,4 @@
-/* $NetBSD: pkcs7.c,v 1.1.2.3 2008/07/05 17:26:40 joerg Exp $ */
+/* $NetBSD: pkcs7.c,v 1.1.2.4 2008/07/18 18:40:50 joerg Exp $ */
#if HAVE_CONFIG_H
#include "config.h"
#endif
@@ -7,7 +7,7 @@
#include <sys/cdefs.h>
#endif
-__RCSID("$NetBSD: pkcs7.c,v 1.1.2.3 2008/07/05 17:26:40 joerg Exp $");
+__RCSID("$NetBSD: pkcs7.c,v 1.1.2.4 2008/07/18 18:40:50 joerg Exp $");
/*-
* Copyright (c) 2004, 2008 The NetBSD Foundation, Inc.
@@ -157,7 +157,8 @@
}
for (i = 0; i < sk_X509_num(signers); i++) {
- if (sk_X509_value(signers, i)->ex_flags & EXFLAG_CA) {
+ /* Check CA state and update ex_xkusage as side effect */
+ if (X509_check_ca(sk_X509_value(signers, i))) {
warnx("CA keys are not valid for signatures");
goto cleanup;
}
@@ -238,10 +239,12 @@
}
certificate = sk_X509_value(c, 0);
- if (certificate->ex_flags & EXFLAG_CA) {
+ /* Check CA state and update ex_xkusage as side effect */
+ if (X509_check_ca(certificate)) {
warnx("CA keys are not valid for signatures");
goto cleanup;
}
+
if (certificate->ex_xkusage != XKU_CODE_SIGN) {
warnx("Certificate must have CODE SIGNING property");
goto cleanup;