... | ... |
@@ -840,7 +840,7 @@ static int asn1_parse_mscat(fmap_t *map, size_t offset, unsigned int size, crtmg |
840 | 840 |
cli_dbgmsg("asn1_parse_mscat: %u new certificates collected\n", newcerts.items); |
841 | 841 |
while(x509) { |
842 | 842 |
cli_crt *parent = crtmgr_verify_crt(cmgr, x509); |
843 |
- if(parent) { |
|
843 |
+ if(parent && !(parent->isBlacklisted)) { |
|
844 | 844 |
x509->codeSign &= parent->codeSign; |
845 | 845 |
x509->timeSign &= parent->timeSign; |
846 | 846 |
if(crtmgr_add(cmgr, x509)) |
... | ... |
@@ -31,6 +31,7 @@ int cli_crt_init(cli_crt *x509) { |
31 | 31 |
cli_errmsg("cli_crt_init: mp_init_multi failed with %d\n", ret); |
32 | 32 |
return 1; |
33 | 33 |
} |
34 |
+ x509->isBlacklisted = 0; |
|
34 | 35 |
x509->not_before = x509->not_after = 0; |
35 | 36 |
x509->prev = x509->next = NULL; |
36 | 37 |
x509->certSign = x509->codeSign = x509->timeSign = 0; |
... | ... |
@@ -116,6 +117,7 @@ int crtmgr_add(crtmgr *m, cli_crt *x509) { |
116 | 116 |
i->certSign = x509->certSign; |
117 | 117 |
i->codeSign = x509->codeSign; |
118 | 118 |
i->timeSign = x509->timeSign; |
119 |
+ i->isBlacklisted = x509->isBlacklisted; |
|
119 | 120 |
i->next = m->crts; |
120 | 121 |
i->prev = NULL; |
121 | 122 |
if(m->crts) |
... | ... |
@@ -314,8 +316,11 @@ cli_crt *crtmgr_verify_pkcs7(crtmgr *m, const uint8_t *issuer, const uint8_t *se |
314 | 314 |
continue; |
315 | 315 |
if(!memcmp(i->issuer, issuer, sizeof(i->issuer)) && |
316 | 316 |
!memcmp(i->serial, serial, sizeof(i->serial)) && |
317 |
- !crtmgr_rsa_verify(i, &sig, hashtype, refhash)) |
|
317 |
+ !crtmgr_rsa_verify(i, &sig, hashtype, refhash)) { |
|
318 |
+ if (i->isBlacklisted) |
|
319 |
+ i = NULL; |
|
318 | 320 |
break; |
321 |
+ } |
|
319 | 322 |
} |
320 | 323 |
mp_clear(&sig); |
321 | 324 |
return i; |