diff options
author | Bob Beck <beck@cvs.openbsd.org> | 2024-02-01 23:16:39 +0000 |
---|---|---|
committer | Bob Beck <beck@cvs.openbsd.org> | 2024-02-01 23:16:39 +0000 |
commit | 4692269a6d5d6adbb3d49f04eaf2c699eb92158a (patch) | |
tree | d3dd51ee4cb498a4a436100f73996f95700385bf /lib | |
parent | 8b533ccba1439a7e6205c13bfe1008b33a16be22 (diff) |
Fix the verifier to use the trust store
the trust store is yet another obscure way to add a trust anchor
Diffstat (limited to 'lib')
-rw-r--r-- | lib/libcrypto/x509/x509_verify.c | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/lib/libcrypto/x509/x509_verify.c b/lib/libcrypto/x509/x509_verify.c index c4c89a23b95..19bb925d9c6 100644 --- a/lib/libcrypto/x509/x509_verify.c +++ b/lib/libcrypto/x509/x509_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_verify.c,v 1.67 2023/11/13 10:33:00 tb Exp $ */ +/* $OpenBSD: x509_verify.c,v 1.68 2024/02/01 23:16:38 beck Exp $ */ /* * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> * @@ -287,6 +287,18 @@ x509_verify_ctx_cert_is_root(struct x509_verify_ctx *ctx, X509 *cert, /* Check by lookup if we have a legacy xsc */ if (ctx->xsc != NULL) { + /* + * "alternative" lookup method, using the "trusted" stack in the + * xsc as the source for roots. + */ + if (ctx->xsc->trusted != NULL) { + for (i = 0; i < sk_X509_num(ctx->xsc->trusted); i++) { + if (X509_cmp(sk_X509_value(ctx->xsc->trusted, + i), cert) == 0) + return x509_verify_check_chain_end(cert, + full_chain); + } + } if ((match = x509_vfy_lookup_cert_match(ctx->xsc, cert)) != NULL) { X509_free(match); |