Commit 5117d50b authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Partial path fix. 

When verifying a partial path always check to see if the EE certificate
is explicitly trusted: the path could contain other untrusted certificates.
(cherry picked from commit 52073b76)
parent 593605d3

crypto/x509/x509_vfy.c

+8 −11
Original line number Diff line number Diff line
@@ -759,11 +759,9 @@ static int check_trust(X509_STORE_CTX *ctx) 
	 */

	if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN)

		{

		X509 *mx;

		if (ctx->last_untrusted < sk_X509_num(ctx->chain))

			return X509_TRUST_TRUSTED;

		if (sk_X509_num(ctx->chain) == 1)

			{

			X509 *mx;

		x = sk_X509_value(ctx->chain, 0);

		mx = lookup_cert_match(ctx, x);

		if (mx)
@@ -774,7 +772,6 @@ static int check_trust(X509_STORE_CTX *ctx) 
			return X509_TRUST_TRUSTED;

			}

		}

		}



	/* If no trusted certs in chain at all return untrusted and

	 * allow standard (no issuer cert) etc errors to be indicated.