Restrict extra identity checks for trusted BPKI EE certificates to

subject name and public key, so that things won't come to a grinding halt if BPKI certificates are updated while daemons are running. svn path=/rpkid/rpki/x509.py; revision=3438
author: Rob Austein <sra@hactrn.net> 2010-09-03 04:53:21 +0000
committer: Rob Austein <sra@hactrn.net> 2010-09-03 04:53:21 +0000
commit: b5dd5fe7f0f336bb54cf454f3222c8f581f7136c (patch)
tree: 6ff5486417f8c942fb939129c036ff373d814003 /rpkid
parent: eabf23e6c9a3c5e4f1548523e6c280b7a5856ed6 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/rpkid/rpki/x509.py b/rpkid/rpki/x509.py
index 9d770ffa..f7929d00 100644
--- a/rpkid/rpki/x509.py
+++ b/rpkid/rpki/x509.py
@@ -854,7 +854,7 @@ class CMS_object(DER_object):
     if trusted_ee:
       if self.debug_cms_certs:
         rpki.log.debug("Trusted CMS EE cert issuer %s subject %s SKI %s" % (trusted_ee.getIssuer(), trusted_ee.getSubject(), trusted_ee.hSKI()))
-      if certs and (len(certs) > 1 or certs[0] != trusted_ee):
+      if certs and (len(certs) > 1 or certs[0].getSubject() != trusted_ee.getSubject() or certs[0].getPublicKey() != trusted_ee.getPublicKey()):
         raise rpki.exceptions.UnexpectedCMSCerts, certs
       if crls:
         raise rpki.exceptions.UnexpectedCMSCRLs, crls
author	Rob Austein <sra@hactrn.net>	2010-09-03 04:53:21 +0000
committer	Rob Austein <sra@hactrn.net>	2010-09-03 04:53:21 +0000
commit	b5dd5fe7f0f336bb54cf454f3222c8f581f7136c (patch)
tree	6ff5486417f8c942fb939129c036ff373d814003 /rpkid
parent	eabf23e6c9a3c5e4f1548523e6c280b7a5856ed6 (diff)