From 3497d8c7bface32664cb9af14ed542f30bd7cac6 Mon Sep 17 00:00:00 2001
From: Paul Bakker <p.j.bakker@polarssl.org>
Date: Sat, 24 Nov 2012 11:53:17 +0100
Subject: [PATCH] Do not check sig on trust-ca (might not be top)

---
 library/x509parse.c | 14 +++-----------
 1 file changed, 3 insertions(+), 11 deletions(-)

diff --git a/library/x509parse.c b/library/x509parse.c
index e54e0b78d..493cf3a99 100644
--- a/library/x509parse.c
+++ b/library/x509parse.c
@@ -3178,7 +3178,9 @@ static int x509parse_verify_top(
     }
 
     /*
-     * If top of chain is not the same as the trusted CA
+     * If top of chain is not the same as the trusted CA send a verify request
+     * to the callback for any issues with validity and CRL presence for the
+     * trusted CA certificate.
      */
     if( trust_ca != NULL &&
         ( child->subject_raw.len != trust_ca->subject_raw.len ||
@@ -3191,16 +3193,6 @@ static int x509parse_verify_top(
         if( x509parse_time_expired( &trust_ca->valid_to ) )
             ca_flags |= BADCERT_EXPIRED;
 
-        hash_id = trust_ca->sig_alg;
-
-        x509_hash( trust_ca->tbs.p, trust_ca->tbs.len, hash_id, hash );
-
-        if( rsa_pkcs1_verify( &trust_ca->rsa, RSA_PUBLIC, hash_id,
-                    0, hash, trust_ca->sig.p ) != 0 )
-        {
-            ca_flags |= BADCERT_NOT_TRUSTED;
-        }
-
         if( NULL != f_vrfy )
         {
             if( ( ret = f_vrfy( p_vrfy, trust_ca, path_cnt + 1, &ca_flags ) ) != 0 )