commit 3497d8c7bface32664cb9af14ed542f30bd7cac6
author Paul Bakker <p.j.bakker@polarssl.org> Sat Nov 24 11:53:17 2012 +0100
committer Paul Bakker <p.j.bakker@polarssl.org> Sat Nov 24 11:53:17 2012 +0100
tree 09efecbd5490ffa5cb0c7be8a53ac123e19b1a00
parent 769075dfb679f7be45d40e733bdae8214513e417

Do not check sig on trust-ca (might not be top)

library/x509parse.c

diff --git a/library/x509parse.c b/library/x509parse.c
index e54e0b7..493cf3a 100644
--- a/library/x509parse.c
+++ b/library/x509parse.c
@@ -3178,7 +3178,9 @@
     }
 
     /*
-     * If top of chain is not the same as the trusted CA
+     * If top of chain is not the same as the trusted CA send a verify request
+     * to the callback for any issues with validity and CRL presence for the
+     * trusted CA certificate.
      */
     if( trust_ca != NULL &&
         ( child->subject_raw.len != trust_ca->subject_raw.len ||
@@ -3191,16 +3193,6 @@
         if( x509parse_time_expired( &trust_ca->valid_to ) )
             ca_flags |= BADCERT_EXPIRED;
 
-        hash_id = trust_ca->sig_alg;
-
-        x509_hash( trust_ca->tbs.p, trust_ca->tbs.len, hash_id, hash );
-
-        if( rsa_pkcs1_verify( &trust_ca->rsa, RSA_PUBLIC, hash_id,
-                    0, hash, trust_ca->sig.p ) != 0 )
-        {
-            ca_flags |= BADCERT_NOT_TRUSTED;
-        }
-
         if( NULL != f_vrfy )
         {
             if( ( ret = f_vrfy( p_vrfy, trust_ca, path_cnt + 1, &ca_flags ) ) != 0 )