x509: reject certificates having duplicate extensions

According to RFC5280 a certificate must not include more than one instance of a particular extension. We were previously printing warnings when such extensions were found, but that is insufficient to flag such certificates. Instead, refuse to import them. Resolves: #887 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
author: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2019-12-29 22:33:07 +0100
committer: Nikos Mavrogiannopoulos <nmav@redhat.com> 2020-01-03 10:56:14 +0100
commit: af83068ffc2b3533d9195b1f59132551f6027976 (patch)
tree: 1e65a7af44117b3288ffdd0e8e7d0cf095c29727 /lib/includes/gnutls/gnutls.h.in
parent: acb025f0d20cda0e2173c822e7d4efa611cce396 (diff)
download: gnutls-af83068ffc2b3533d9195b1f59132551f6027976.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index d8464c94da..fb617f9963 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -3386,6 +3386,7 @@ void gnutls_fips140_set_mode(gnutls_fips_mode_t mode, unsigned flags);
 #define GNUTLS_E_MISSING_EXTENSION -427
 #define GNUTLS_E_DB_ENTRY_EXISTS -428
 #define GNUTLS_E_EARLY_DATA_REJECTED -429
+#define GNUTLS_E_X509_DUPLICATE_EXTENSION -430
 
 #define GNUTLS_E_UNIMPLEMENTED_FEATURE -1250
author	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2019-12-29 22:33:07 +0100
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>	2020-01-03 10:56:14 +0100
commit	af83068ffc2b3533d9195b1f59132551f6027976 (patch)
tree	1e65a7af44117b3288ffdd0e8e7d0cf095c29727 /lib/includes/gnutls/gnutls.h.in
parent	acb025f0d20cda0e2173c822e7d4efa611cce396 (diff)
download	gnutls-af83068ffc2b3533d9195b1f59132551f6027976.tar.gz