X.509 path validation now performs all possible tests and returns a

set of error codes, instead of failing immediately on first error.
This prevents a 'weak' error like an expired certificate from hiding a
major error such as signature validation failure or hard revocation.

1 files changed, 3 insertions, 3 deletions

diff --git a/src/tests/nist_x509.cpp b/src/tests/nist_x509.cpp
index cf37a3ba7..48483d46a 100644
--- a/src/tests/nist_x509.cpp
+++ b/src/tests/nist_x509.cpp
@@ -201,7 +201,7 @@ std::map<size_t, Path_Validation_Result::Code> get_expected()
    expected_results[17] = Certificate_Status_Code::VERIFIED;
    expected_results[18] = Certificate_Status_Code::VERIFIED;
 
-   expected_results[19] = Certificate_Status_Code::CRL_NOT_FOUND;
+   expected_results[19] = Certificate_Status_Code::NO_REVOCATION_DATA;
    expected_results[20] = Certificate_Status_Code::CERT_IS_REVOKED;
    expected_results[21] = Certificate_Status_Code::CERT_IS_REVOKED;
 
@@ -275,8 +275,8 @@ std::map<size_t, Path_Validation_Result::Code> get_expected()
 
    expected_results[64] = Certificate_Status_Code::CRL_BAD_SIGNATURE;
 
-   expected_results[65] = Certificate_Status_Code::CRL_NOT_FOUND;
-   expected_results[66] = Certificate_Status_Code::CRL_NOT_FOUND;
+   expected_results[65] = Certificate_Status_Code::NO_REVOCATION_DATA;
+   expected_results[66] = Certificate_Status_Code::NO_REVOCATION_DATA;
 
    expected_results[67] = Certificate_Status_Code::VERIFIED;