Reject certificate chains where the adjacent certificates have the same subject.

author: Carl Hetherington <cth@carlh.net> 2019-06-26 15:54:09 +0100
committer: Carl Hetherington <cth@carlh.net> 2019-06-26 15:54:09 +0100
commit: 31f31800705880da6ec185f9b31c7e125ae18c38 (patch)
tree: 00d33f641ee112728188022ae82aac474ecf2c1f /src
parent: ac1602d2fc8bd6498c4d3fb514d9b83b537e02b9 (diff)
1 files changed, 4 insertions, 3 deletions
diff --git a/src/certificate_chain.cc b/src/certificate_chain.cc
index 61414436..0d99d1c9 100644
--- a/src/certificate_chain.cc
+++ b/src/certificate_chain.cc
@@ -464,10 +464,11 @@ CertificateChain::chain_valid (List const & chain) const
 			return false;
 		}
 
-		/* I don't know why OpenSSL doesn't check this in verify_cert, but without this check
-		   the certificates_validation8 test fails.
+		/* I don't know why OpenSSL doesn't check this stuff
+		   in verify_cert, but without these checks the
+		   certificates_validation8 test fails.
 		*/
-		if (j->issuer() != i->subject()) {
+		if (j->issuer() != i->subject() || j->subject() == i->subject()) {
 			X509_STORE_free (store);
 			return false;
 		}
author	Carl Hetherington <cth@carlh.net>	2019-06-26 15:54:09 +0100
committer	Carl Hetherington <cth@carlh.net>	2019-06-26 15:54:09 +0100
commit	31f31800705880da6ec185f9b31c7e125ae18c38 (patch)
tree	00d33f641ee112728188022ae82aac474ecf2c1f /src
parent	ac1602d2fc8bd6498c4d3fb514d9b83b537e02b9 (diff)