common

Timestamp:

May 18, 2020 1:38:38 PM (5 years ago)

Author:

vboxsync

Message:

IPRT: RISKY: rtCrPkcs7VerifySignerInfo should pass trusted certificates to the path machinery too, they could be expired and otherwise unsuitable. bugref:9699

File:

: 1 edited

trunk/src/VBox/Runtime/common/crypto/pkcs7-verify.cpp (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/src/VBox/Runtime/common/crypto/pkcs7-verify.cpp

-              r84330
+              r84331
      */
     int rc = VINF_SUCCESS;
+    if (   (   hSignerCertSrc == NIL_RTCRSTORE
+            || hSignerCertSrc != hTrustedCerts ) /** @todo 'hSignerCertSrc != hTrustedCerts' ain't making sense wrt pValidationTime */
+        && !(fFlags & RTCRPKCS7VERIFY_SD_F_TRUST_ALL_CERTS) )
+    if (   /*(   hSignerCertSrc == NIL_RTCRSTORE
+            || hSignerCertSrc != hTrustedCerts )
+        &&*/ /** @todo 'hSignerCertSrc != hTrustedCerts' ain't making sense wrt pValidationTime */
+        !(fFlags & RTCRPKCS7VERIFY_SD_F_TRUST_ALL_CERTS) )
+    {
         RTCRX509CERTPATHS hCertPaths;

Note: See TracChangeset for help on using the changeset viewer.

Changeset 84331 in vbox for trunk/src/VBox/Runtime/common

Legend:

trunk/src/VBox/Runtime/common/crypto/pkcs7-verify.cpp

Download in other formats: