Don't hand null pointer to OpenSSL if we can't find a plausible

issuer. Not sure we really need the complex issuer-finding code at all anymore, but dumping core is not an appropriate form of social criticism. svn path=/branches/tk705/; revision=6183
author: Rob Austein <sra@hactrn.net> 2015-11-22 08:53:20 +0000
committer: Rob Austein <sra@hactrn.net> 2015-11-22 08:53:20 +0000
commit: 6ec036bfdceadc4ca72f27d4369dfded0c194a19 (patch)
tree: cea75a39534f16180004bf10594d36ba4433f200 /ext/POW.c
parent: 17d892bb1939a5c7421cf69119858b471a5c5539 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/ext/POW.c b/ext/POW.c
index 969dd3fb..72eac014 100644
--- a/ext/POW.c
+++ b/ext/POW.c
@@ -1485,6 +1485,7 @@ static int check_x509(X509 *x,
    */
 
 #warning Why are we not checking the critical flag on these extensions?
+#warning We may need to check that these extensions only contain URIs
 
   if ((aia = X509_get_ext_d2i(x, NID_info_access, NULL, NULL)) != NULL)
     ex_count--;
@@ -3581,7 +3582,8 @@ x509_object_verify(x509_object *self, PyObject *args, PyObject *kwds)
         if (X509_check_issued((issuer = sk_X509_value(untrusted_stack, i)), self->x509) != 0)
           issuer = NULL;
 
-    is_ta = (sk_X509_num(trusted_stack) == 1 && 
+    is_ta = (issuer != NULL &&
+             sk_X509_num(trusted_stack) == 1 && 
              sk_X509_num(untrusted_stack) == 0 &&
              X509_cmp(issuer, self->x509) == 0);
author	Rob Austein <sra@hactrn.net>	2015-11-22 08:53:20 +0000
committer	Rob Austein <sra@hactrn.net>	2015-11-22 08:53:20 +0000
commit	6ec036bfdceadc4ca72f27d4369dfded0c194a19 (patch)
tree	cea75a39534f16180004bf10594d36ba4433f200 /ext/POW.c
parent	17d892bb1939a5c7421cf69119858b471a5c5539 (diff)