ITS#6466 certificateListValidate: Empty Sequence-of is legal

author Howard Chu <hyc@openldap.org>

Sat, 30 Jan 2010 23:32:50 +0000 (23:32 +0000)

committer Howard Chu <hyc@openldap.org>

Sat, 30 Jan 2010 23:32:50 +0000 (23:32 +0000)
author Howard Chu <hyc@openldap.org>
Sat, 30 Jan 2010 23:32:50 +0000 (23:32 +0000)
committer Howard Chu <hyc@openldap.org>
Sat, 30 Jan 2010 23:32:50 +0000 (23:32 +0000)
diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c

index 68e6d282d470977feae00e1b87bcab60e9792ec3..9211daee789df6720cdda2eff0f3ea93c4cecc75 100644 (file)
--- a/servers/slapd/schema_init.c
+++ b/servers/slapd/schema_init.c
@@ -326,9 +326,12 @@ certificateListValidate( Syntax *syntax, struct berval *in )
         /* revokedCertificates - Sequence of Sequence, Optional */
         if ( tag == LBER_SEQUENCE ) {
                 ber_len_t seqlen;
-               if ( ber_peek_tag( ber, &seqlen ) == LBER_SEQUENCE ) {
-                       /* Should NOT be empty */
-                       ber_skip_data( ber, len );
+               ber_tag_t stag;
+               stag = ber_peek_tag( ber, &seqlen );
+               if ( stag == LBER_SEQUENCE || !len ) {
+                       /* RFC5280 requires non-empty, but X.509(2005) allows empty. */
+                       if ( len )
+                               ber_skip_data( ber, len );
                         tag = ber_skip_tag( ber, &len );
                 }
         }
author	Howard Chu <hyc@openldap.org>
	Sat, 30 Jan 2010 23:32:50 +0000 (23:32 +0000)
committer	Howard Chu <hyc@openldap.org>
	Sat, 30 Jan 2010 23:32:50 +0000 (23:32 +0000)