Making sure VerifyCACertForUsage checks CRL if usage is statusResponder. Changes reviewed by Bob Relyea

2024-11-26 14:22:01 +00:00 · 2002-08-23 18:02:10 +00:00 · 2002-08-23 18:02:10 +00:00 · 5fcabb2b51
commit 5fcabb2b51
parent e047d51485
1 changed files with 13 additions and 0 deletions
--- a/security/nss/lib/certhigh/certvfy.c
+++ b/security/nss/lib/certhigh/certvfy.c
@ -1016,6 +1016,7 @@ CERT_VerifyCACertForUsage(CERTCertDBHandle *handle, CERTCertificate *cert,
    unsigned int caCertType;
    unsigned int requiredCAKeyUsage;
    unsigned int requiredFlags;
+    CERTCertificate *issuerCert;


    if (CERT_KeyUsageAndTypeForCertUsage(certUsage, PR_TRUE,
@ -1100,6 +1101,18 @@ CERT_VerifyCACertForUsage(CERTCertDBHandle *handle, CERTCertificate *cert,
 	    if ( ( flags & requiredFlags ) == requiredFlags ||
 		     certUsage == certUsageStatusResponder ) {
 		    /* we found a trusted one, so return */
+        //Check  the special case of certUsageStatusResponder
+        if(certUsage == certUsageStatusResponder) {
+           issuerCert = CERT_FindCertIssuer(cert, t, certUsage);
+	         if (issuerCert) {
+              if(SEC_CheckCRL(handle, cert, issuerCert, t, wincx) != SECSuccess) {
+                 PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE);
+                 CERT_DestroyCertificate(issuerCert);
+                 goto loser;
+              }
+              CERT_DestroyCertificate(issuerCert);
+           }
+        }
 		    rv = rvFinal; 
 		    goto done;
 	    }