feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Find CRL Signer By AuthKeyId

Browse Source 
When looking up the signer of the CRL by SKID/AKID, also verify that the
CRL issuer name matches the CA's subject name, per RFC 5280 section 4.1.2.6.
This commit is contained in:
John Safranek
2019-12-18 10:17:51 -08:00
parent 5a04ee0d8b
commit 6c6d72e4d6
1 changed files with 8 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
wolfcrypt/src/asn.c
View File

@@ -16180,10 +16180,16 @@ int ParseCRL(DecodedCRL* dcrl, const byte* buff, word32 sz, void* cm)
if experiencing issues uncomment NO_SKID define in CRL section of
wolfssl/wolfcrypt/settings.h */
#ifndef NO_SKID
if (dcrl->extAuthKeyIdSet)
if (dcrl->extAuthKeyIdSet) {
ca = GetCA(cm, dcrl->extAuthKeyId); /* more unique than issuerHash */
if (ca == NULL)
}
if (ca != NULL && XMEMCMP(dcrl->issuerHash, ca->subjectNameHash,
KEYID_SIZE) != 0) {
ca = NULL;
}
if (ca == NULL) {
ca = GetCAByName(cm, dcrl->issuerHash); /* last resort */
}
#else
ca = GetCA(cm, dcrl->issuerHash);
#endif /* !NO_SKID */