diff options
| author | lloyd <[email protected]> | 2014-02-08 15:50:01 +0000 |
|---|---|---|
| committer | lloyd <[email protected]> | 2014-02-08 15:50:01 +0000 |
| commit | 7def8d303e3cf0f1a27ee8ebcb8ae5137261a361 (patch) | |
| tree | 144e644bda4c58b80a9f8b9422bc6e723701e4b1 /src/lib/cert/x509/x509path.cpp | |
| parent | 1895c74f25debdf1a9d1ca9e539ec6cb598012a7 (diff) | |
Fix a bug introduced in 1.11.6 where we tried to check CRL signatures
against the wrong key, causing any check to fail.
Clean up the NIST X.509 path validation tests and run them by default.
Diffstat (limited to 'src/lib/cert/x509/x509path.cpp')
| -rw-r--r-- | src/lib/cert/x509/x509path.cpp | 17 |
1 files changed, 8 insertions, 9 deletions
diff --git a/src/lib/cert/x509/x509path.cpp b/src/lib/cert/x509/x509path.cpp index edbceaadd..4f1971311 100644 --- a/src/lib/cert/x509/x509path.cpp +++ b/src/lib/cert/x509/x509path.cpp @@ -34,15 +34,12 @@ const X509_Certificate* find_issuing_cert(const X509_Certificate& cert, return nullptr; } -const X509_CRL* find_crls_from(const X509_Certificate& cert, - const std::vector<Certificate_Store*>& certstores) +const X509_CRL* find_crls_for(const X509_Certificate& cert, + const std::vector<Certificate_Store*>& certstores) { - const X509_DN issuer_dn = cert.subject_dn(); - const std::vector<byte> auth_key_id = cert.subject_key_id(); - for(size_t i = 0; i != certstores.size(); ++i) { - if(const X509_CRL* crl = certstores[i]->find_crl(cert)) + if(const X509_CRL* crl = certstores[i]->find_crl_for(cert)) return crl; } @@ -152,12 +149,12 @@ Certificate_Status_Code check_chain(const std::vector<X509_Certificate>& cert_pa } } - const X509_CRL* crl_p = find_crls_from(ca, certstores); + const X509_CRL* crl_p = find_crls_for(subject, certstores); if(!crl_p) { if(restrictions.require_revocation_information()) - return Certificate_Status_Code::NO_REVOCATION_DATA; + return Certificate_Status_Code::CRL_NOT_FOUND; continue; } @@ -173,7 +170,7 @@ Certificate_Status_Code check_chain(const std::vector<X509_Certificate>& cert_pa return Certificate_Status_Code::CRL_HAS_EXPIRED; if(crl.check_signature(ca.subject_public_key()) == false) - return Certificate_Status_Code::SIGNATURE_ERROR; + return Certificate_Status_Code::CRL_BAD_SIGNATURE; if(crl.is_revoked(subject)) return Certificate_Status_Code::CERT_IS_REVOKED; @@ -333,6 +330,8 @@ std::string Path_Validation_Result::status_string(Certificate_Status_Code code) return "CRL has expired"; case CRL_NOT_FOUND: return "CRL not found"; + case CRL_BAD_SIGNATURE: + return "CRL has invalid signature"; case CA_CERT_CANNOT_SIGN: return "CA certificate cannot sign"; case CA_CERT_NOT_FOR_CERT_ISSUER: |