From 18a4cbfac3553203c338337666f7f237d4b70bc2 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 2 Nov 2018 09:19:54 +0000 Subject: [PATCH] Don't perform binary comparison of CRL issuer and CA subject Previously, when checking whether a CRT was revoked through one of the configured CRLs, the library would only consider those CRLs whose `issuer` field binary-matches the `subject` field of the CA that has issued the CRT in question. If those fields were not binary equivalent, the corresponding CRL was discarded. This is not in line with RFC 5280, which demands that the comparison should be format- and case-insensitive. For example: - If the same string is once encoded as a `PrintableString` and another time as a `UTF8String`, they should compare equal. - If two strings differ only in their choice of upper and lower case letters, they should compare equal. This commit fixes this by using the dedicated x509_name_cmp() function to compare the CRL issuer with the CA subject. Fixes #1784. --- library/x509_crt.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/library/x509_crt.c b/library/x509_crt.c index 147ebe7d5..46bbc15ab 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -1784,9 +1784,7 @@ static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca, while( crl_list != NULL ) { if( crl_list->version == 0 || - crl_list->issuer_raw.len != ca->subject_raw.len || - memcmp( crl_list->issuer_raw.p, ca->subject_raw.p, - crl_list->issuer_raw.len ) != 0 ) + x509_name_cmp( &crl_list->issuer, &ca->subject ) != 0 ) { crl_list = crl_list->next; continue; @@ -1796,7 +1794,8 @@ static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca, * Check if the CA is configured to sign CRLs */ #if defined(MBEDTLS_X509_CHECK_KEY_USAGE) - if( mbedtls_x509_crt_check_key_usage( ca, MBEDTLS_X509_KU_CRL_SIGN ) != 0 ) + if( mbedtls_x509_crt_check_key_usage( ca, + MBEDTLS_X509_KU_CRL_SIGN ) != 0 ) { flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED; break;