Check signedObject URI when present. Closes #173.

svn path=/trunk/; revision=4922
author: Rob Austein <sra@hactrn.net> 2012-11-28 04:31:07 +0000
committer: Rob Austein <sra@hactrn.net> 2012-11-28 04:31:07 +0000
commit: 361fb25012493242cb6cab9ba8edaf36d232570e (patch)
tree: 469da44af098eb838b2f97df58aef3ef870d673c
parent: 770ba2f6b7958dab863fc3d311498ef4de1fb206 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/rcynic/rcynic.c b/rcynic/rcynic.c
index fd1f7c11..2f37ed79 100644
--- a/rcynic/rcynic.c
+++ b/rcynic/rcynic.c
@@ -279,6 +279,7 @@ static const struct {
   QB(wrong_object_version,		"Wrong object version")		    \
   QW(aia_doesnt_match_issuer,		"AIA doesn't match issuer")	    \
   QW(bad_cms_si_signed_attributes, 	"Bad CMS SI signed attributes")	    \
+  QW(bad_signed_object_uri,		"Bad signedObject URI")		    \
   QW(crldp_names_newer_crl,		"CRLDP names newer CRL")	    \
   QW(digest_mismatch,			"Digest mismatch")		    \
   QW(ee_certificate_with_1024_bit_key, 	"EE certificate with 1024 bit key") \
@@ -3610,6 +3611,9 @@ static int check_x509(rcynic_ctx_t *rc,
     goto done;
   }
 
+  if (certinfo->signedobject.s[0] && strcmp(uri->s, certinfo->signedobject.s))
+    log_validation_status(rc, uri, bad_signed_object_uri, generation);
+
   if ((crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL)) != NULL) {
     ex_count--;
     if (!extract_crldp_uri(rc, uri, generation, crldp, &certinfo->crldp))
author	Rob Austein <sra@hactrn.net>	2012-11-28 04:31:07 +0000
committer	Rob Austein <sra@hactrn.net>	2012-11-28 04:31:07 +0000
commit	361fb25012493242cb6cab9ba8edaf36d232570e (patch)
tree	469da44af098eb838b2f97df58aef3ef870d673c
parent	770ba2f6b7958dab863fc3d311498ef4de1fb206 (diff)