Maintain self-issued bit in a local variable
EXFLAG_SI is recomputed in each loop anyway, so there is no point
storing it with the certificate in the first place. It is also, in this
code, not *entirely* path-independent due to the is_root check. This
fixes a potential bug where checking one path impacts the behavior of
another path.
Change-Id: If9b0d157dd49c44723c1a8e2f83eebfc3fc2779c
Reviewed-on: https://chromium-review.googlesource.com/c/openscreen/+/2737756
Reviewed-by: Brandon Tolsch <btolsch@chromium.org>
Commit-Queue: Brandon Tolsch <btolsch@chromium.org>
diff --git a/cast/common/certificate/cast_cert_validator_internal.cc b/cast/common/certificate/cast_cert_validator_internal.cc
index 931ae26..94e2ac6 100644
--- a/cast/common/certificate/cast_cert_validator_internal.cc
+++ b/cast/common/certificate/cast_cert_validator_internal.cc
@@ -115,6 +115,7 @@
X509* subject = path[i + 1].cert;
X509* issuer = path[i].cert;
bool is_root = (i == step_index);
+ bool issuer_is_self_issued = false;
if (!is_root) {
if ((error = VerifyCertTime(issuer, time)) != Error::Code::kNone) {
return error;
@@ -126,14 +127,10 @@
}
--max_pathlen;
} else {
- // TODO(davidben): This code repurposes BoringSSL's internal caches for
- // application-specific storage. Manage this state separately.
- issuer->ex_flags |= EXFLAG_SI;
+ issuer_is_self_issued = true;
}
} else {
- // TODO(davidben): This code repurposes BoringSSL's internal caches for
- // application-specific storage. Manage this state separately.
- issuer->ex_flags |= EXFLAG_SI;
+ issuer_is_self_issued = true;
}
bssl::UniquePtr<ASN1_BIT_STRING> key_usage = GetKeyUsage(issuer);
@@ -181,8 +178,7 @@
// NOTE: (!self-issued || target) -> verify name constraints. Target case
// is after the loop.
- const bool is_self_issued = issuer->ex_flags & EXFLAG_SI;
- if (!is_self_issued) {
+ if (!issuer_is_self_issued) {
for (NAME_CONSTRAINTS* name_constraints : path_name_constraints) {
if (NAME_CONSTRAINTS_check(subject, name_constraints) != X509_V_OK) {
return Error::Code::kErrCertsVerifyGeneric;
