Commit 2e0c7db9 authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Initial code to support distinct certificate and CRL signing keys where the 

CRL issuer is not part of the main path.

Not complete yet and not compiled in because the CRL issuer certificate is
not validated.
parent 002e66c0

crypto/x509/x509_vfy.c

+28 −1
Original line number Diff line number Diff line
@@ -795,6 +795,9 @@ static int crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer) 
	{

	X509 *crl_issuer;

	int cidx = ctx->error_depth;

#if 0

	int i;

#endif

	if (!crl->akid)

		return 1;

	if (cidx != sk_X509_num(ctx->chain) - 1)
@@ -820,6 +823,30 @@ static int crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer) 
			}

		}





	/* Otherwise the CRL issuer is not on the path. Look for it in the

	 * set of untrusted certificates.

	 */



#if 0

	/* FIXME: not enabled yet because the CRL issuer certifcate is not

	 * validated.

	 */



	for (i = 0; i < sk_X509_num(ctx->untrusted); i++)

		{

		crl_issuer = sk_X509_value(ctx->untrusted, i);

		if (X509_NAME_cmp(X509_get_subject_name(crl_issuer),

					X509_CRL_get_issuer(crl)))

			continue;

		if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK)

			{

			*pissuer = crl_issuer;

			return 1;

			}

		}

#endif



	return 0;

	}