On Tue, Jan 18, 2022 at 06:38:46PM +0100, Claudio Jeker wrote:
> This is a follow up to the valid_x509() commit form earlier today.
> tb@ suggested that the crl check should be grouped together.
> After some thought I decided to do this all different.
> First of all introduce a checkcrl flag which turns on
> X509_V_FLAG_CRL_CHECK. This prevents code that expects a CRL to accept a
> cert where the CRL is NULL. Apart from this build_crls(),
> X509_STORE_CTX_set0_crls() and sk_X509_CRL_free() handle NULL inputs just
> fine so drop the if (crl != NULL) check for them.
>
> I think this is better and more secure
Yes, this is much better and easier to understand. I generally dislike
such boolean flag values for functions (since you have no idea what they
mean at the caller), but I think here it is for the better.
ok tb
> @@ -361,7 +360,7 @@ proc_parser_mft(char *file, const unsign
>
> a = valid_ski_aki(file, &auths, mft->ski, mft->aki);
>
Perhaps it's worth reinstating the comment that was removed in an
earlier commit?
/* CRL checks disabled here because CRL is referenced from mft */
> - if (!valid_x509(file, x509, a, NULL)) {
> + if (!valid_x509(file, x509, a, NULL, 0)) {
> mft_free(mft);
> X509_free(x509);
> return NULL;
