diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2008-08-12 16:07:52 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2008-08-12 16:07:52 +0000 |
commit | 2e0c7db95002686b8b2eb8da6ba40fab1e7b93b1 (patch) | |
tree | 5edd328790082ccdbfcf703b275e338dfc1ba886 /crypto | |
parent | 002e66c0e81f94ac01d9a206e43eabb7f1c72a74 (diff) |
Initial code to support distinct certificate and CRL signing keys where the
CRL issuer is not part of the main path.
Not complete yet and not compiled in because the CRL issuer certificate is
not validated.
Diffstat (limited to 'crypto')
-rw-r--r-- | crypto/x509/x509_vfy.c | 29 |
1 files changed, 28 insertions, 1 deletions
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 05dcd8b0a3..f33d16bba9 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -795,6 +795,9 @@ static int crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer) { X509 *crl_issuer; int cidx = ctx->error_depth; +#if 0 + int i; +#endif if (!crl->akid) return 1; if (cidx != sk_X509_num(ctx->chain) - 1) @@ -819,7 +822,31 @@ static int crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer) break; } } - + + + /* Otherwise the CRL issuer is not on the path. Look for it in the + * set of untrusted certificates. + */ + +#if 0 + /* FIXME: not enabled yet because the CRL issuer certifcate is not + * validated. + */ + + for (i = 0; i < sk_X509_num(ctx->untrusted); i++) + { + crl_issuer = sk_X509_value(ctx->untrusted, i); + if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), + X509_CRL_get_issuer(crl))) + continue; + if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) + { + *pissuer = crl_issuer; + return 1; + } + } +#endif + return 0; } |