AKI checks still weren't quite right.

svn path=/trunk/; revision=4277
author: Rob Austein <sra@hactrn.net> 2012-02-01 00:40:12 +0000
committer: Rob Austein <sra@hactrn.net> 2012-02-01 00:40:12 +0000
commit: 4bc26775b9ab9f6c63a435ce38f2642b6b790c00 (patch)
tree: 460f962ca3279818bd40adea849b06ddd52e6edb /rcynic
parent: 362b7967c16155f9b24cf257ae7b63bab43c6af6 (diff)
1 files changed, 8 insertions, 17 deletions
diff --git a/rcynic/rcynic.c b/rcynic/rcynic.c
index c136cebe..a6375126 100644
--- a/rcynic/rcynic.c
+++ b/rcynic/rcynic.c
@@ -3016,21 +3016,6 @@ static X509_CRL *check_crl_1(rcynic_ctx_t *rc,
     }
   }
 
-#if 0
-  /*
-   * Might need to generalize this to check cert AKI as well.  Haven't
-   * handled cert SKI check yet either.  Do we want to call
-   * X509_check_akid() here or just compare the OCTET STRINGs
-   * directly?  99% of X509_check_akid() is irrelevant to our profile.
-   */
-  if (!crl->akid ||
-      !crl->akid->keyid ||
-      crl->akid->serial ||
-      crl->akid->issuer ||
-      X509_check_akid(issuer, crl->akid) != X509_V_OK)
-    bad_crl_akid;
-#endif
-
   if ((pkey = X509_get_pubkey(issuer)) == NULL)
     goto punt;
   ret = X509_CRL_verify(crl, pkey);
@@ -3505,10 +3490,16 @@ static int check_x509(rcynic_ctx_t *rc,
     goto done;
   }
 
-  if (check_aki(rc, uri, w->cert, x->akid, generation))
+  if (x->akid) {
     ex_count--;
-  else if (!certinfo->ta || x->akid)
+    if (!check_aki(rc, uri, w->cert, x->akid, generation))
+      goto done;
+  }
+
+  if (!x->akid && !certinfo->ta) {
+    log_validation_status(rc, uri, aki_extension_missing, generation);
     goto done;
+  }
 
   if (certinfo->ta) {
author	Rob Austein <sra@hactrn.net>	2012-02-01 00:40:12 +0000
committer	Rob Austein <sra@hactrn.net>	2012-02-01 00:40:12 +0000
commit	4bc26775b9ab9f6c63a435ce38f2642b6b790c00 (patch)
tree	460f962ca3279818bd40adea849b06ddd52e6edb /rcynic
parent	362b7967c16155f9b24cf257ae7b63bab43c6af6 (diff)