Check CRL issuer nae against issuing CA's subject name. Closes #459.

svn path=/trunk/; revision=5133
author: Rob Austein <sra@hactrn.net> 2013-03-11 20:39:26 +0000
committer: Rob Austein <sra@hactrn.net> 2013-03-11 20:39:26 +0000
commit: 83ac4e766bdc2253dcfddd40eaf8954a1e4734c1 (patch)
tree: 83492a3ac664dbf98ee03f316f0b90865f6f49c7 /rcynic
parent: 23403bf11a580b9c374488520bd7bda921078989 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/rcynic/rcynic.c b/rcynic/rcynic.c
index 0634bc52..355b1c19 100644
--- a/rcynic/rcynic.c
+++ b/rcynic/rcynic.c
@@ -230,6 +230,7 @@ static const struct {
   QB(cms_signer_missing,		"CMS signer missing")		    \
   QB(cms_ski_mismatch,			"CMS SKI mismatch")		    \
   QB(cms_validation_failure,		"CMS validation failure")	    \
+  QB(crl_issuer_name_mismatch,		"CRL issuer name mismatch")	\
   QB(crl_not_in_manifest,               "CRL not listed in manifest")	    \
   QB(crl_not_yet_valid,			"CRL not yet valid")		    \
   QB(crl_number_extension_missing,	"CRL number extension missing")	    \
@@ -3269,6 +3270,11 @@ static X509_CRL *check_crl_1(rcynic_ctx_t *rc,
     goto punt;
   }
 
+  if (X509_NAME_cmp(X509_CRL_get_issuer(crl), X509_get_subject_name(issuer))) {
+    log_validation_status(rc, uri, crl_issuer_name_mismatch, generation);
+    goto punt;
+  }
+
   if (!check_allowed_dn(X509_CRL_get_issuer(crl))) {
     log_validation_status(rc, uri, nonconformant_issuer_name, generation);
     if (!rc->allow_nonconformant_name)
author	Rob Austein <sra@hactrn.net>	2013-03-11 20:39:26 +0000
committer	Rob Austein <sra@hactrn.net>	2013-03-11 20:39:26 +0000
commit	83ac4e766bdc2253dcfddd40eaf8954a1e4734c1 (patch)
tree	83492a3ac664dbf98ee03f316f0b90865f6f49c7 /rcynic
parent	23403bf11a580b9c374488520bd7bda921078989 (diff)