Reject certificate chains where the adjacent certificates have the same subject.

This is a backport of 31f31800705880da6ec185f9b31c7e125ae18c38 from master.
author: Carl Hetherington <cth@carlh.net> 2019-06-26 15:54:09 +0100
committer: Carl Hetherington <cth@carlh.net> 2019-10-01 22:18:12 +0200
commit: f5dd8fb0d86bd56d637f6a1921591044a5ef2a03 (patch)
tree: 264fb26e3fffdb6b7c30a8e2e6be4afb7fddf8cd /src
parent: 4e6637feaff73fcf6ed44a85b96a3b0f74180de9 (diff)
1 files changed, 4 insertions, 3 deletions
diff --git a/src/certificate_chain.cc b/src/certificate_chain.cc
index 61414436..0d99d1c9 100644
--- a/src/certificate_chain.cc
+++ b/src/certificate_chain.cc
@@ -464,10 +464,11 @@ CertificateChain::chain_valid (List const & chain) const
 			return false;
 		}
 
-		/* I don't know why OpenSSL doesn't check this in verify_cert, but without this check
-		   the certificates_validation8 test fails.
+		/* I don't know why OpenSSL doesn't check this stuff
+		   in verify_cert, but without these checks the
+		   certificates_validation8 test fails.
 		*/
-		if (j->issuer() != i->subject()) {
+		if (j->issuer() != i->subject() || j->subject() == i->subject()) {
 			X509_STORE_free (store);
 			return false;
 		}
author	Carl Hetherington <cth@carlh.net>	2019-06-26 15:54:09 +0100
committer	Carl Hetherington <cth@carlh.net>	2019-10-01 22:18:12 +0200
commit	f5dd8fb0d86bd56d637f6a1921591044a5ef2a03 (patch)
tree	264fb26e3fffdb6b7c30a8e2e6be4afb7fddf8cd /src
parent	4e6637feaff73fcf6ed44a85b96a3b0f74180de9 (diff)