One of our QA guys here came up with this one, so don't blame me. :)
If you are using a CA root file with a duplicate entry in it (actually, a
cert file with just a duplicated subject DN, doesn't have to be an exactly
duplicate cert), parsing of the file stops at the duplicate cert.
Is this done on purpose? If so, why? The code in question is in by_file.c
in X509_load_cert_file. If X509_STORE_add_cert() returns an error, it
unconditionally branches to the 'err' label.
The way to fix this is to change the:
if (!i) goto err;
code to:
if (!i)
{
/* We don't care if the cert is
** already in there. Still treat all other cases as
** fatal errors.
*/
if (ERR_GET_REASON(ERR_peek_error()) != X509_R_CERT_ALREADY_IN_HASH_TABLE)
{
goto err;
}
}
Just curious if there is some security-reason to abort the parse for
duplicate cert entries...
Thanks.
-Bill P.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
