From 0a11c2a02804a1d518e0b8346ae4e6b84d2f02ff Mon Sep 17 00:00:00 2001
From: David Benjamin <davidben@chromium.org>
Date: Thu, 4 Mar 2021 15:38:17 -0500
Subject: Maintain self-issued bit in a local variable

EXFLAG_SI is recomputed in each loop anyway, so there is no point
storing it with the certificate in the first place. It is also, in this
code, not *entirely* path-independent due to the is_root check. This
fixes a potential bug where checking one path impacts the behavior of
another path.

Change-Id: If9b0d157dd49c44723c1a8e2f83eebfc3fc2779c
Reviewed-on: https://chromium-review.googlesource.com/c/openscreen/+/2737756
Reviewed-by: Brandon Tolsch <btolsch@chromium.org>
Commit-Queue: Brandon Tolsch <btolsch@chromium.org>
---
 cast/common/certificate/cast_cert_validator_internal.cc | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

(limited to 'cast')

diff --git a/cast/common/certificate/cast_cert_validator_internal.cc b/cast/common/certificate/cast_cert_validator_internal.cc
index 931ae267..94e2ac60 100644
--- a/cast/common/certificate/cast_cert_validator_internal.cc
+++ b/cast/common/certificate/cast_cert_validator_internal.cc
@@ -115,6 +115,7 @@ Error::Code VerifyCertificateChain(const std::vector<CertPathStep>& path,
     X509* subject = path[i + 1].cert;
     X509* issuer = path[i].cert;
     bool is_root = (i == step_index);
+    bool issuer_is_self_issued = false;
     if (!is_root) {
       if ((error = VerifyCertTime(issuer, time)) != Error::Code::kNone) {
         return error;
@@ -126,14 +127,10 @@ Error::Code VerifyCertificateChain(const std::vector<CertPathStep>& path,
         }
         --max_pathlen;
       } else {
-        // TODO(davidben): This code repurposes BoringSSL's internal caches for
-        // application-specific storage. Manage this state separately.
-        issuer->ex_flags |= EXFLAG_SI;
+        issuer_is_self_issued = true;
       }
     } else {
-      // TODO(davidben): This code repurposes BoringSSL's internal caches for
-      // application-specific storage. Manage this state separately.
-      issuer->ex_flags |= EXFLAG_SI;
+      issuer_is_self_issued = true;
     }
 
     bssl::UniquePtr<ASN1_BIT_STRING> key_usage = GetKeyUsage(issuer);
@@ -181,8 +178,7 @@ Error::Code VerifyCertificateChain(const std::vector<CertPathStep>& path,
 
     // NOTE: (!self-issued || target) -> verify name constraints.  Target case
     // is after the loop.
-    const bool is_self_issued = issuer->ex_flags & EXFLAG_SI;
-    if (!is_self_issued) {
+    if (!issuer_is_self_issued) {
       for (NAME_CONSTRAINTS* name_constraints : path_name_constraints) {
         if (NAME_CONSTRAINTS_check(subject, name_constraints) != X509_V_OK) {
           return Error::Code::kErrCertsVerifyGeneric;
-- 
cgit v1.2.3