Initial code to support distinct certificate and CRL signing keys where the

[openssl.git] / crypto / x509 / x509_vfy.c

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 05dcd8b0a32182cc548cd1940f9159d44242bbcc..f33d16bba966d1738144d024b49c8f1b05fd4297 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -795,6 +795,9 @@ static int crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer)
        {
        X509 *crl_issuer;
        int cidx = ctx->error_depth;
+#if 0
+       int i;
+#endif
        if (!crl->akid)
                return 1;
        if (cidx != sk_X509_num(ctx->chain) - 1)
@@ -819,7 +822,31 @@ static int crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer)
                                break;
                        }
                }
-               
+
+
+       /* Otherwise the CRL issuer is not on the path. Look for it in the
+        * set of untrusted certificates.
+        */
+
+#if 0
+       /* FIXME: not enabled yet because the CRL issuer certifcate is not
+        * validated.
+        */
+
+       for (i = 0; i < sk_X509_num(ctx->untrusted); i++)
+               {
+               crl_issuer = sk_X509_value(ctx->untrusted, i);
+               if (X509_NAME_cmp(X509_get_subject_name(crl_issuer),
+                                       X509_CRL_get_issuer(crl)))
+                       continue;
+               if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK)
+                       {
+                       *pissuer = crl_issuer;
+                       return 1;
+                       }
+               }
+#endif
+
        return 0;
        }