I have several certificates with the same subject which are in two
different directories. When I put these two directories to
X509_LOOKUP_hash_dir and use this lookup during validation, the
certificate is found only if it is in the first directory in lookup.
I've found the problem in OpenSSL 0.9.6g and also 0.9.7.
I've looked into it and the cause is probably in
crypto/x509/by_dir.c, function get_cert_by_subject(). The outer loop
here goes through the directories assigned to lookup object. For each
directory all the certificates with given hash code are loaded. Next,
the certificate is looked up by subject and if found, the function
exits. In this case the other directories are not loaded. So later when
the certificate found is not the one really requested and the loaded
cache is consulted, it is not filled as it should be and certificate is
not found.
I think the lookup by subject in get_cert_by_subject() should be
performed after the outer loop finishes (see attached patch).
Regards
Martin
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
