[EMAIL PROTECTED] wrote:
>
>
> Index: x509_vfy.c
> ===================================================================
> RCS file: /e/openssl/cvs/openssl/crypto/x509/x509_vfy.c,v
> retrieving revision 1.48
> retrieving revision 1.49
> diff -u -r1.48 -r1.49
> --- x509_vfy.c 2001/01/20 13:38:45 1.48
> +++ x509_vfy.c 2001/01/28 14:38:11 1.49
> @@ -488,6 +488,13 @@
> if (!ok) goto end;
> }
> if (X509_verify(xs,pkey) <= 0)
> + /* XXX For the final trusted self-signed cert,
> + * this is a waste of time. That check should
> + * optional so that e.g. 'openssl x509' can be
> + * used to detect invalid self-signatures, but
> + * we don't verify again and again in SSL
> + * handshakes and the like once the cert has
> + * been declared trusted. */
> {
> ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
> ctx->current_cert=xs;
>
If I recall that bit of code I don't think the check will happen more
than once: though more by luck than design.
If the certificate verifies the first time it will have its 'valid'
field set to 1.
The root certificate will always be looked up and will then be placed in
the X509_STORE cache so subsequent lookups will always return the same
structure. This should mean that the check on the 'valid' field will
bypass the signature check after the first successful call.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
