I tried your patch (under windows) from the master . It works !
... and the next question is : When do you release a new version of xmlsec ? Patrick, Le 22/05/2014 17:51, Aleksey Sanin a écrit :
Good catch! The original code makes no sense (compares the same values). I applied your patch, just moved the X509_get_issuer_name() call outside of the loop since it is not changing anyway. The change is pushed to master. Could you please try it out? Thanks for bug report and the patch! Aleksey On 5/22/14, 12:34 AM, pfx wrote:Hello, xmlSecDSigCtxVerify() uses a stack of CRL to ignore revoked certificates. for this purpose, xmlSecOpenSSLX509VerifyCertAgainstCrls() is called by xmlSecDSigCtxVerify() to check a certificate against the stack of CRL In this routine, the first loop try to find the CRL that matches the certificate (same issuer) issuer = X509_CRL_get_issuer(crl); if(xmlSecOpenSSLX509NamesCompare(X509_CRL_get_issuer(crl), issuer) == 0) { but this expression is always true and xmlSecOpenSSLX509VerifyCertAgainstCrls always uses the first CRL a possible patch : compare CRL issuer against certificate issuer as below diff -Naur -x configure.txt -x config.h -x Makefile -x '*.pdb' temp/orig/xmlsec1-1.2.13/src/openssl/x509vfy.c temp/current/xmlsec1-1.2.13/src/openssl/x509vfy.c --- temp/orig/xmlsec1-1.2.13/src/openssl/x509vfy.c 2009-09-12 22:08:31.000000000 +0200 +++ temp/current/xmlsec1-1.2.13/src/openssl/x509vfy.c 2014-05-21 19:46:17.193896800 +0200 @@ -967,7 +967,7 @@ continue; } - issuer = X509_CRL_get_issuer(crl); + issuer = X509_get_issuer_name(cert); if(xmlSecOpenSSLX509NamesCompare(X509_CRL_get_issuer(crl), issuer) == 0) { break; } Regards, _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
