Check name hash after matching AKID
RFC 5280, Section 4.1.2.6: If the subject is a CA (e.g., the basic constraints extension, as discussed in Section 4.2.1.9, is present and the value of cA is TRUE), then the subject field MUST be populated with a non-empty distinguished name matching the contents of the issuer field (Section 4.1.2.4) in all certificates issued by the subject CA. The subject name must match - even when the AKID matches.
This commit is contained in:
parent
7e74d02da5
commit
c1218a541b
@ -8666,12 +8666,17 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
|
||||
} else {
|
||||
cert->ca = NULL;
|
||||
#ifndef NO_SKID
|
||||
if (cert->extAuthKeyIdSet)
|
||||
if (cert->extAuthKeyIdSet) {
|
||||
cert->ca = GetCA(cm, cert->extAuthKeyId);
|
||||
}
|
||||
if (cert->ca == NULL && cert->extSubjKeyIdSet \
|
||||
&& verify != VERIFY_OCSP) {
|
||||
cert->ca = GetCA(cm, cert->extSubjKeyId);
|
||||
}
|
||||
if (cert->ca != NULL && XMEMCMP(cert->issuerHash,
|
||||
cert->ca->subjectNameHash, KEYID_SIZE) != 0) {
|
||||
cert->ca = NULL;
|
||||
}
|
||||
if (cert->ca == NULL)
|
||||
cert->ca = GetCAByName(cm, cert->issuerHash);
|
||||
|
||||
@ -8766,6 +8771,10 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
|
||||
&& verify != VERIFY_OCSP) {
|
||||
cert->ca = GetCA(cm, cert->extSubjKeyId);
|
||||
}
|
||||
if (cert->ca != NULL && XMEMCMP(cert->issuerHash,
|
||||
cert->ca->subjectNameHash, KEYID_SIZE) != 0) {
|
||||
cert->ca = NULL;
|
||||
}
|
||||
if (cert->ca == NULL)
|
||||
cert->ca = GetCAByName(cm, cert->issuerHash);
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user