summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorBob Beck <beck@cvs.openbsd.org>2024-02-01 23:16:39 +0000
committerBob Beck <beck@cvs.openbsd.org>2024-02-01 23:16:39 +0000
commit4692269a6d5d6adbb3d49f04eaf2c699eb92158a (patch)
treed3dd51ee4cb498a4a436100f73996f95700385bf /lib
parent8b533ccba1439a7e6205c13bfe1008b33a16be22 (diff)
Fix the verifier to use the trust store
the trust store is yet another obscure way to add a trust anchor
Diffstat (limited to 'lib')
-rw-r--r--lib/libcrypto/x509/x509_verify.c14
1 files changed, 13 insertions, 1 deletions
diff --git a/lib/libcrypto/x509/x509_verify.c b/lib/libcrypto/x509/x509_verify.c
index c4c89a23b95..19bb925d9c6 100644
--- a/lib/libcrypto/x509/x509_verify.c
+++ b/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_verify.c,v 1.67 2023/11/13 10:33:00 tb Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.68 2024/02/01 23:16:38 beck Exp $ */
/*
* Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
*
@@ -287,6 +287,18 @@ x509_verify_ctx_cert_is_root(struct x509_verify_ctx *ctx, X509 *cert,
/* Check by lookup if we have a legacy xsc */
if (ctx->xsc != NULL) {
+ /*
+ * "alternative" lookup method, using the "trusted" stack in the
+ * xsc as the source for roots.
+ */
+ if (ctx->xsc->trusted != NULL) {
+ for (i = 0; i < sk_X509_num(ctx->xsc->trusted); i++) {
+ if (X509_cmp(sk_X509_value(ctx->xsc->trusted,
+ i), cert) == 0)
+ return x509_verify_check_chain_end(cert,
+ full_chain);
+ }
+ }
if ((match = x509_vfy_lookup_cert_match(ctx->xsc,
cert)) != NULL) {
X509_free(match);