diff options
| author | Rob Austein <sra@hactrn.net> | 2012-02-03 17:16:17 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2012-02-03 17:16:17 +0000 |
| commit | 39ee5dd4b01e3287f6f67c556d0b140add0f458f (patch) | |
| tree | d1d175c4daf2fe0244ad89db99633e6c46ec464b /rpkid/rpki/up_down.py | |
| parent | 5a9e22d68c5b95429d7333468fe5ea7a67a5e2ca (diff) | |
Clean up exceptions in rpki.x509.CMS_object.verify().
Up-down specification explictly allows certificates and CRLs we
consider extraneous to be included in CMS messages. I think that any
verification model which relies on these is flawed, so I don't use
them, in fact, nobody does, but I was unable to convince my co-authors
to change the specification. Sigh. So the up-down code has to allow
these. In theory, OpenSSL's verification code should have no problem
picking the useful bits out of the garbage, since that's a normal part
of OpenSSL's job when acting as a TLS client, so we just pass the mess
along to OpenSSL and let OpenSSL sort it out.
This closes #9.
svn path=/trunk/; revision=4287
Diffstat (limited to 'rpkid/rpki/up_down.py')
| -rw-r--r-- | rpkid/rpki/up_down.py | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/rpkid/rpki/up_down.py b/rpkid/rpki/up_down.py index 009818cb..0eba6b52 100644 --- a/rpkid/rpki/up_down.py +++ b/rpkid/rpki/up_down.py @@ -704,3 +704,5 @@ class cms_msg(rpki.x509.XML_CMS_object): encoding = "UTF-8" schema = rpki.relaxng.up_down saxify = sax_handler.saxify + allow_extra_certs = True + allow_extra_crls = True |