forked from wolfSSL/wolfssl
Find CRL Signer By AuthKeyId
When looking up the signer of the CRL by SKID/AKID, also verify that the CRL issuer name matches the CA's subject name, per RFC 5280 section 4.1.2.6.
This commit is contained in:
@@ -16180,10 +16180,16 @@ int ParseCRL(DecodedCRL* dcrl, const byte* buff, word32 sz, void* cm)
|
|||||||
if experiencing issues uncomment NO_SKID define in CRL section of
|
if experiencing issues uncomment NO_SKID define in CRL section of
|
||||||
wolfssl/wolfcrypt/settings.h */
|
wolfssl/wolfcrypt/settings.h */
|
||||||
#ifndef NO_SKID
|
#ifndef NO_SKID
|
||||||
if (dcrl->extAuthKeyIdSet)
|
if (dcrl->extAuthKeyIdSet) {
|
||||||
ca = GetCA(cm, dcrl->extAuthKeyId); /* more unique than issuerHash */
|
ca = GetCA(cm, dcrl->extAuthKeyId); /* more unique than issuerHash */
|
||||||
if (ca == NULL)
|
}
|
||||||
|
if (ca != NULL && XMEMCMP(dcrl->issuerHash, ca->subjectNameHash,
|
||||||
|
KEYID_SIZE) != 0) {
|
||||||
|
ca = NULL;
|
||||||
|
}
|
||||||
|
if (ca == NULL) {
|
||||||
ca = GetCAByName(cm, dcrl->issuerHash); /* last resort */
|
ca = GetCAByName(cm, dcrl->issuerHash); /* last resort */
|
||||||
|
}
|
||||||
#else
|
#else
|
||||||
ca = GetCA(cm, dcrl->issuerHash);
|
ca = GetCA(cm, dcrl->issuerHash);
|
||||||
#endif /* !NO_SKID */
|
#endif /* !NO_SKID */
|
||||||
|
Reference in New Issue
Block a user