aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRob Austein <sra@hactrn.net>2012-11-28 04:31:07 +0000
committerRob Austein <sra@hactrn.net>2012-11-28 04:31:07 +0000
commit361fb25012493242cb6cab9ba8edaf36d232570e (patch)
tree469da44af098eb838b2f97df58aef3ef870d673c
parent770ba2f6b7958dab863fc3d311498ef4de1fb206 (diff)
Check signedObject URI when present. Closes #173.
svn path=/trunk/; revision=4922
-rw-r--r--rcynic/rcynic.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/rcynic/rcynic.c b/rcynic/rcynic.c
index fd1f7c11..2f37ed79 100644
--- a/rcynic/rcynic.c
+++ b/rcynic/rcynic.c
@@ -279,6 +279,7 @@ static const struct {
QB(wrong_object_version, "Wrong object version") \
QW(aia_doesnt_match_issuer, "AIA doesn't match issuer") \
QW(bad_cms_si_signed_attributes, "Bad CMS SI signed attributes") \
+ QW(bad_signed_object_uri, "Bad signedObject URI") \
QW(crldp_names_newer_crl, "CRLDP names newer CRL") \
QW(digest_mismatch, "Digest mismatch") \
QW(ee_certificate_with_1024_bit_key, "EE certificate with 1024 bit key") \
@@ -3610,6 +3611,9 @@ static int check_x509(rcynic_ctx_t *rc,
goto done;
}
+ if (certinfo->signedobject.s[0] && strcmp(uri->s, certinfo->signedobject.s))
+ log_validation_status(rc, uri, bad_signed_object_uri, generation);
+
if ((crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL)) != NULL) {
ex_count--;
if (!extract_crldp_uri(rc, uri, generation, crldp, &certinfo->crldp))