Skip the leaf certificate HX509_VERIFY_CTX_F_NO_BEST_BEFORE_CHECK check for now

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24254 ec53bebd-3082-4978-b11e-865c3cabbd6b
2009-01-11 21:44:19 +00:00
parent 3ee9a138f6
commit 4b553afa07
1 changed files with 4 additions and 2 deletions
--- a/lib/hx509/cert.c
+++ b/lib/hx509/cert.c
@@ -2278,10 +2278,12 @@ hx509_verify_path(hx509_context context,
 	 * Verify that the sigature algorithm "best-before" date is
 	 * before the creation date of the certificate, do this for
 	 * trust anchors too, since any trust anchor that is created
-	 * after a algorithm is known to be bad deserved to be invalid
+	 * after a algorithm is known to be bad deserved to be invalid.
+	 *
+	 * Skip the leaf certificate for now...
 	 */

-	if ((ctx->flags & HX509_VERIFY_CTX_F_NO_BEST_BEFORE_CHECK) == 0) {
+	if (i != 0 && (ctx->flags & HX509_VERIFY_CTX_F_NO_BEST_BEFORE_CHECK) == 0) {
 	    time_t notBefore = 
 		_hx509_Time2time_t(&c->tbsCertificate.validity.notBefore);
 	    ret = _hx509_signature_best_before(context,