Initial code to support distinct certificate and CRL signing keys where the

CRL issuer is not part of the main path. Not complete yet and not compiled in because the CRL issuer certificate is not validated.

Initial code to support distinct certificate and CRL signing keys where the
CRL issuer is not part of the main path. Not complete yet and not compiled in because the CRL issuer certificate is not validated.
2e0c7db9 · Dr. Stephen Henson · 002e66c0 · 2e0c7db9
隐藏空白更改
内联并排

Showing with 28 addition and 1 deletion

crypto/x509/x509_vfy.c crypto/x509/x509_vfy.c +28 -1

未找到文件。
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -795,6 +795,9 @@ static int crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer)
 	{
 	X509 *crl_issuer;
 	int cidx = ctx->error_depth;
+#if 0
+	int i;
+#endif
 	if (!crl->akid)
 		return 1;
 	if (cidx != sk_X509_num(ctx->chain) - 1)
@@ -819,7 +822,31 @@ static int crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer)
 				break;
 			}
 		}
-		
+
+
+	/* Otherwise the CRL issuer is not on the path. Look for it in the
+	 * set of untrusted certificates.
+	 */
+
+#if 0
+	/* FIXME: not enabled yet because the CRL issuer certifcate is not
+	 * validated.
+	 */
+
+	for (i = 0; i < sk_X509_num(ctx->untrusted); i++)
+		{
+		crl_issuer = sk_X509_value(ctx->untrusted, i);
+		if (X509_NAME_cmp(X509_get_subject_name(crl_issuer),
+					X509_CRL_get_issuer(crl)))
+			continue;
+		if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK)
+			{
+			*pissuer = crl_issuer;
+			return 1;
+			}
+		}
+#endif
+
 	return 0;
 	}