From 321ab9944314e48e0ace5075bd7da5d9137eb3fa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Wed, 8 Aug 2007 10:26:22 +0000
Subject: [PATCH] (verify_crl): handle with the signer is the CRLsigner
 (shortjcut).

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@21861 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 lib/hx509/revoke.c | 25 ++++++++++++++++++-------
 1 file changed, 18 insertions(+), 7 deletions(-)

diff --git a/lib/hx509/revoke.c b/lib/hx509/revoke.c
index 45d7f52c4..68c7976c3 100644
--- a/lib/hx509/revoke.c
+++ b/lib/hx509/revoke.c
@@ -405,13 +405,24 @@ verify_crl(hx509_context context,
 
     _hx509_query_clear(&q);
 	
-    q.match = HX509_QUERY_MATCH_SUBJECT_NAME;
-    q.match |= HX509_QUERY_KU_CRLSIGN;
-    q.subject_name = &crl->tbsCertList.issuer;
-
-    ret = hx509_certs_find(context, certs, &q, &signer);
-    if (ret)
-	return ret;
+    /*
+     * If its the signer have CRLSIGN bit set, use that as the signer
+     * cert for the certificate, otherwise, search for a certificate.
+     */
+    if (_hx509_check_key_usage(context, parent, 1 << 6, FALSE) == 0) {
+	signer = hx509_cert_ref(parent);
+    } else {
+	q.match = HX509_QUERY_MATCH_SUBJECT_NAME;
+	q.match |= HX509_QUERY_KU_CRLSIGN;
+	q.subject_name = &crl->tbsCertList.issuer;
+	
+	ret = hx509_certs_find(context, certs, &q, &signer);
+	if (ret) {
+	    hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
+				   "Failed to find certificate for CRL");
+	    return ret;
+	}
+    }
 
     ret = _hx509_verify_signature_bitstring(context,
 					    _hx509_get_cert(signer),