Support for multiple CRLs with same issuer name in X509_STORE. Modify

verify logic to try to use an unexpired CRL if possible.
author: Dr. Stephen Henson <steve@openssl.org> 2006-07-25 17:39:38 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2006-07-25 17:39:38 +0000
commit: f6e7d014508b020818707d4b1544379e8b742e32 (patch)
tree: d974f0b497d3d31a71e4e872ed3a847eb7ceab7c /crypto/x509/x509_lu.c
parent: edc540211c4852c57c01743a068aecc0e0a97b5c (diff)
download: openssl-f6e7d014508b020818707d4b1544379e8b742e32.tar.gz
1 files changed, 13 insertions, 2 deletions
diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c
index cd2cfb6d85..fbb1497fe2 100644
--- a/crypto/x509/x509_lu.c
+++ b/crypto/x509/x509_lu.c
@@ -459,13 +459,24 @@ X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x
 	X509_OBJECT *obj;
 	idx = sk_X509_OBJECT_find(h, x);
 	if (idx == -1) return NULL;
-	if (x->type != X509_LU_X509) return sk_X509_OBJECT_value(h, idx);
+	if ((x->type != X509_LU_X509) && (x->type != X509_LU_CRL))
+		return sk_X509_OBJECT_value(h, idx);
 	for (i = idx; i < sk_X509_OBJECT_num(h); i++)
 		{
 		obj = sk_X509_OBJECT_value(h, i);
 		if (x509_object_cmp((const X509_OBJECT **)&obj, (const X509_OBJECT **)&x))
 			return NULL;
-		if ((x->type != X509_LU_X509) || !X509_cmp(obj->data.x509, x->data.x509))
+		if (x->type == X509_LU_X509)
+			{
+			if (!X509_cmp(obj->data.x509, x->data.x509))
+				return obj;
+			}
+		else if (x->type == X509_LU_CRL)
+			{
+			if (!X509_CRL_match(obj->data.crl, x->data.crl))
+				return obj;
+			}
+		else
 			return obj;
 		}
 	return NULL;
author	Dr. Stephen Henson <steve@openssl.org>	2006-07-25 17:39:38 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2006-07-25 17:39:38 +0000
commit	f6e7d014508b020818707d4b1544379e8b742e32 (patch)
tree	d974f0b497d3d31a71e4e872ed3a847eb7ceab7c /crypto/x509/x509_lu.c
parent	edc540211c4852c57c01743a068aecc0e0a97b5c (diff)
download	openssl-f6e7d014508b020818707d4b1544379e8b742e32.tar.gz