diff options
| author | David Benjamin <davidben@chromium.org> | 2021-03-04 15:38:17 -0500 |
|---|---|---|
| committer | Commit Bot <commit-bot@chromium.org> | 2021-03-04 22:56:22 +0000 |
| commit | 0a11c2a02804a1d518e0b8346ae4e6b84d2f02ff (patch) | |
| tree | 15c41425ae20b84e3fa8afa2abbfe85bf172f933 /cast | |
| parent | c9c0d21440c944b4343535d49f6a13ee3ac6a29e (diff) | |
| download | openscreen-0a11c2a02804a1d518e0b8346ae4e6b84d2f02ff.tar.gz | |
Maintain self-issued bit in a local variable
EXFLAG_SI is recomputed in each loop anyway, so there is no point
storing it with the certificate in the first place. It is also, in this
code, not *entirely* path-independent due to the is_root check. This
fixes a potential bug where checking one path impacts the behavior of
another path.
Change-Id: If9b0d157dd49c44723c1a8e2f83eebfc3fc2779c
Reviewed-on: https://chromium-review.googlesource.com/c/openscreen/+/2737756
Reviewed-by: Brandon Tolsch <btolsch@chromium.org>
Commit-Queue: Brandon Tolsch <btolsch@chromium.org>
Diffstat (limited to 'cast')
| -rw-r--r-- | cast/common/certificate/cast_cert_validator_internal.cc | 12 |
1 files changed, 4 insertions, 8 deletions
diff --git a/cast/common/certificate/cast_cert_validator_internal.cc b/cast/common/certificate/cast_cert_validator_internal.cc index 931ae267..94e2ac60 100644 --- a/cast/common/certificate/cast_cert_validator_internal.cc +++ b/cast/common/certificate/cast_cert_validator_internal.cc @@ -115,6 +115,7 @@ Error::Code VerifyCertificateChain(const std::vector<CertPathStep>& path, X509* subject = path[i + 1].cert; X509* issuer = path[i].cert; bool is_root = (i == step_index); + bool issuer_is_self_issued = false; if (!is_root) { if ((error = VerifyCertTime(issuer, time)) != Error::Code::kNone) { return error; @@ -126,14 +127,10 @@ Error::Code VerifyCertificateChain(const std::vector<CertPathStep>& path, } --max_pathlen; } else { - // TODO(davidben): This code repurposes BoringSSL's internal caches for - // application-specific storage. Manage this state separately. - issuer->ex_flags |= EXFLAG_SI; + issuer_is_self_issued = true; } } else { - // TODO(davidben): This code repurposes BoringSSL's internal caches for - // application-specific storage. Manage this state separately. - issuer->ex_flags |= EXFLAG_SI; + issuer_is_self_issued = true; } bssl::UniquePtr<ASN1_BIT_STRING> key_usage = GetKeyUsage(issuer); @@ -181,8 +178,7 @@ Error::Code VerifyCertificateChain(const std::vector<CertPathStep>& path, // NOTE: (!self-issued || target) -> verify name constraints. Target case // is after the loop. - const bool is_self_issued = issuer->ex_flags & EXFLAG_SI; - if (!is_self_issued) { + if (!issuer_is_self_issued) { for (NAME_CONSTRAINTS* name_constraints : path_name_constraints) { if (NAME_CONSTRAINTS_check(subject, name_constraints) != X509_V_OK) { return Error::Code::kErrCertsVerifyGeneric; |