Good catch! The original code makes no sense (compares the same values).
I applied your patch, just moved the X509_get_issuer_name() call
outside of the loop since it is not changing anyway. The change is
pushed to master. Could you please try it out?
Thanks for bug report and the patch!
Aleksey
On 5/22/14, 12:34 AM, pfx wrote:
> Hello,
>
> xmlSecDSigCtxVerify() uses a stack of CRL to ignore revoked certificates.
> for this purpose, xmlSecOpenSSLX509VerifyCertAgainstCrls() is called by
> xmlSecDSigCtxVerify() to check a certificate against the stack of CRL
>
> In this routine, the first loop try to find the CRL that matches the
> certificate (same issuer)
> issuer = X509_CRL_get_issuer(crl);
> if(xmlSecOpenSSLX509NamesCompare(X509_CRL_get_issuer(crl), issuer)
> == 0) {
> but this expression is always true and
> xmlSecOpenSSLX509VerifyCertAgainstCrls always uses the first CRL
>
> a possible patch : compare CRL issuer against certificate issuer as below
>
> diff -Naur -x configure.txt -x config.h -x Makefile -x '*.pdb'
> temp/orig/xmlsec1-1.2.13/src/openssl/x509vfy.c
> temp/current/xmlsec1-1.2.13/src/openssl/x509vfy.c
> --- temp/orig/xmlsec1-1.2.13/src/openssl/x509vfy.c 2009-09-12
> 22:08:31.000000000 +0200
> +++ temp/current/xmlsec1-1.2.13/src/openssl/x509vfy.c 2014-05-21
> 19:46:17.193896800 +0200
> @@ -967,7 +967,7 @@
> continue;
> }
>
> - issuer = X509_CRL_get_issuer(crl);
> + issuer = X509_get_issuer_name(cert);
> if(xmlSecOpenSSLX509NamesCompare(X509_CRL_get_issuer(crl), issuer)
> == 0) {
> break;
> }
>
> Regards,
>
> _______________________________________________
> xmlsec mailing list
> [email protected]
> http://www.aleksey.com/mailman/listinfo/xmlsec
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
