Do not check sig on trust-ca (might not be top)
diff --git a/library/x509parse.c b/library/x509parse.c
index e54e0b7..493cf3a 100644
--- a/library/x509parse.c
+++ b/library/x509parse.c
@@ -3178,7 +3178,9 @@
}
/*
- * If top of chain is not the same as the trusted CA
+ * If top of chain is not the same as the trusted CA send a verify request
+ * to the callback for any issues with validity and CRL presence for the
+ * trusted CA certificate.
*/
if( trust_ca != NULL &&
( child->subject_raw.len != trust_ca->subject_raw.len ||
@@ -3191,16 +3193,6 @@
if( x509parse_time_expired( &trust_ca->valid_to ) )
ca_flags |= BADCERT_EXPIRED;
- hash_id = trust_ca->sig_alg;
-
- x509_hash( trust_ca->tbs.p, trust_ca->tbs.len, hash_id, hash );
-
- if( rsa_pkcs1_verify( &trust_ca->rsa, RSA_PUBLIC, hash_id,
- 0, hash, trust_ca->sig.p ) != 0 )
- {
- ca_flags |= BADCERT_NOT_TRUSTED;
- }
-
if( NULL != f_vrfy )
{
if( ( ret = f_vrfy( p_vrfy, trust_ca, path_cnt + 1, &ca_flags ) ) != 0 )