From 866f4be7652c4aad3447227bd80777f174eb8d9d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= Date: Thu, 20 Apr 2006 17:05:11 +0000 Subject: [PATCH] (hx509_verify_path): if trust anchor is not self signed, don't check sig From Douglas Engert. git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17108 ec53bebd-3082-4978-b11e-865c3cabbd6b --- lib/hx509/cert.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/lib/hx509/cert.c b/lib/hx509/cert.c index 61ec09b36..c81666280 100644 --- a/lib/hx509/cert.c +++ b/lib/hx509/cert.c @@ -1326,8 +1326,18 @@ hx509_verify_path(hx509_context context, Certificate *signer, *c; c = _hx509_get_cert(path.val[i]); - /* is last in chain and thus the self-signed */ - signer = path.val[i == path.len - 1 ? i : i + 1]->data; + + /* is last in chain (trust anchor) */ + if (i == path.len - 1) { + signer = path.val[i]->data; + + /* if trust anchor is not self signed, don't check sig */ + if (!certificate_is_self_signed(signer)) + continue; + } else { + /* take next certificate in chain */ + signer = path.val[i + 1]->data; + } /* verify signatureValue */ ret = _hx509_verify_signature_bitstring(signer,