From: Howard Chu <hyc@openldap.org>
Date: Sat, 30 Jan 2010 23:32:50 +0000 (+0000)
Subject: ITS#6466 certificateListValidate: Empty Sequence-of is legal
X-Git-Tag: MIGRATION_CVS2GIT~706
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=0e16b2ea55b49dc0b2c031f27f9606895f1ee74c;p=openldap

ITS#6466 certificateListValidate: Empty Sequence-of is legal
---

diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
index 68e6d282d4..9211daee78 100644
--- a/servers/slapd/schema_init.c
+++ b/servers/slapd/schema_init.c
@@ -326,9 +326,12 @@ certificateListValidate( Syntax *syntax, struct berval *in )
 	/* revokedCertificates - Sequence of Sequence, Optional */
 	if ( tag == LBER_SEQUENCE ) {
 		ber_len_t seqlen;
-		if ( ber_peek_tag( ber, &seqlen ) == LBER_SEQUENCE ) {
-			/* Should NOT be empty */
-			ber_skip_data( ber, len );
+		ber_tag_t stag;
+		stag = ber_peek_tag( ber, &seqlen );
+		if ( stag == LBER_SEQUENCE || !len ) {
+			/* RFC5280 requires non-empty, but X.509(2005) allows empty. */
+			if ( len )
+				ber_skip_data( ber, len );
 			tag = ber_skip_tag( ber, &len );
 		}
 	}