(hx509_verify_path): if trust anchor is not self signed, don't check sig

From Douglas Engert. git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17108 ec53bebd-3082-4978-b11e-865c3cabbd6b
2006-04-20 17:05:11 +00:00
parent 6195a45286
commit 866f4be765
1 changed files with 12 additions and 2 deletions
--- a/lib/hx509/cert.c
+++ b/lib/hx509/cert.c
@@ -1326,8 +1326,18 @@ hx509_verify_path(hx509_context context,
 	Certificate *signer, *c;

 	c = _hx509_get_cert(path.val[i]);
-	/* is last in chain and thus the self-signed */
-	signer = path.val[i == path.len - 1 ? i : i + 1]->data;
+
+	/* is last in chain (trust anchor) */
+	if (i == path.len - 1) {
+	    signer = path.val[i]->data;
+
+	    /* if trust anchor is not self signed, don't check sig */
+	    if (!certificate_is_self_signed(signer))
+		continue;
+	} else {
+	    /* take next certificate in chain */
+	    signer = path.val[i + 1]->data;
+	}

 	/* verify signatureValue */
 	ret = _hx509_verify_signature_bitstring(signer,