Move AKI checks to precede signature check, as AKI checks are cheaper.

svn path=/trunk/; revision=4392
author: Rob Austein <sra@hactrn.net> 2012-03-09 21:36:04 +0000
committer: Rob Austein <sra@hactrn.net> 2012-03-09 21:36:04 +0000
commit: 206e6a0391a47036c4b83e5472083a1fe286747e (patch)
tree: 1abb8e5fb10bae985bafb9a49a6ab63ef6cb1649 /rcynic
parent: f3af4e1bf6566664759cad4bf9d59c3ea0442169 (diff)
1 files changed, 6 insertions, 5 deletions
diff --git a/rcynic/rcynic.c b/rcynic/rcynic.c
index 17b1493b..d22e95d4 100644
--- a/rcynic/rcynic.c
+++ b/rcynic/rcynic.c
@@ -2891,6 +2891,7 @@ static int check_aki(rcynic_ctx_t *rc,
 
   if (ASN1_OCTET_STRING_cmp(aki->keyid, issuer->skid)) {
     log_validation_status(rc, uri, aki_extension_issuer_mismatch, generation);
+    return 0;
   }
 
   return 1;
@@ -3513,11 +3514,6 @@ static int check_x509(rcynic_ctx_t *rc,
     goto done;
   }
 
-  if ((issuer_pkey = X509_get_pubkey(w->cert)) == NULL || X509_verify(x, issuer_pkey) <= 0) {
-    log_validation_status(rc, uri, certificate_bad_signature, generation);
-    goto done;
-  }
-
   if (x->akid) {
     ex_count--;
     if (!check_aki(rc, uri, w->cert, x->akid, generation))
@@ -3529,6 +3525,11 @@ static int check_x509(rcynic_ctx_t *rc,
     goto done;
   }
 
+  if ((issuer_pkey = X509_get_pubkey(w->cert)) == NULL || X509_verify(x, issuer_pkey) <= 0) {
+    log_validation_status(rc, uri, certificate_bad_signature, generation);
+    goto done;
+  }
+
   if (certinfo->ta) {
 
     if (certinfo->crldp.s[0]) {
author	Rob Austein <sra@hactrn.net>	2012-03-09 21:36:04 +0000
committer	Rob Austein <sra@hactrn.net>	2012-03-09 21:36:04 +0000
commit	206e6a0391a47036c4b83e5472083a1fe286747e (patch)
tree	1abb8e5fb10bae985bafb9a49a6ab63ef6cb1649 /rcynic
parent	f3af4e1bf6566664759cad4bf9d59c3ea0442169 (diff)