mirror of
https://github.com/yuzu-emu/mbedtls
synced 2024-11-24 08:28:25 +00:00
Don't perform binary comparison of CRL issuer and CA subject
Previously, when checking whether a CRT was revoked through one of the configured CRLs, the library would only consider those CRLs whose `issuer` field binary-matches the `subject` field of the CA that has issued the CRT in question. If those fields were not binary equivalent, the corresponding CRL was discarded. This is not in line with RFC 5280, which demands that the comparison should be format- and case-insensitive. For example: - If the same string is once encoded as a `PrintableString` and another time as a `UTF8String`, they should compare equal. - If two strings differ only in their choice of upper and lower case letters, they should compare equal. This commit fixes this by using the dedicated x509_name_cmp() function to compare the CRL issuer with the CA subject. Fixes #1784.
This commit is contained in:
parent
1f8527f1cf
commit
b75ffb5061
1 changed files with 3 additions and 4 deletions
|
@ -1814,9 +1814,7 @@ static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
|
|||
while( crl_list != NULL )
|
||||
{
|
||||
if( crl_list->version == 0 ||
|
||||
crl_list->issuer_raw.len != ca->subject_raw.len ||
|
||||
memcmp( crl_list->issuer_raw.p, ca->subject_raw.p,
|
||||
crl_list->issuer_raw.len ) != 0 )
|
||||
x509_name_cmp( &crl_list->issuer, &ca->subject ) != 0 )
|
||||
{
|
||||
crl_list = crl_list->next;
|
||||
continue;
|
||||
|
@ -1826,7 +1824,8 @@ static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
|
|||
* Check if the CA is configured to sign CRLs
|
||||
*/
|
||||
#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
|
||||
if( mbedtls_x509_crt_check_key_usage( ca, MBEDTLS_X509_KU_CRL_SIGN ) != 0 )
|
||||
if( mbedtls_x509_crt_check_key_usage( ca,
|
||||
MBEDTLS_X509_KU_CRL_SIGN ) != 0 )
|
||||
{
|
||||
flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
|
||||
break;
|
||||
|
|
Loading…
Reference in a new issue