Add X509_V_FLAG_REQUIRE_CA_BASIC_CONSTRAINTS.
This change adds a new flag, X509_V_FLAG_REQUIRE_CA_BASIC_CONSTRAINTS,
which causes basicConstraints with isCA to be required for intermediate
CA certificates. Without this, intermediates are also acceptable if
they're missing basicConstraints, but include either a certSign
keyUsage, or a CA Netscape certificate type.
This is a short-term change for patching. I'll undo a lot of it and make
this the default in the next change.
Bug: 111893041
Test: cts -m CtsLibcoreTestCases
Merged-In: I47a45e6b6f46b19fcbcb6c917895867d56dcd2ca
Change-Id: I9eaf0fa61141627da607a329974111c0f8841508
3 files changed