From: Howard Chu Date: Mon, 24 Sep 2007 07:55:56 +0000 (+0000) Subject: ITS#5151 fix CertificateListValidate X-Git-Tag: OPENLDAP_REL_ENG_2_4_9~20^2~600 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=d322eb96c3fafa6b7009eb1b31720f827784a56f;p=openldap ITS#5151 fix CertificateListValidate --- diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c index 9dd8642d3c..30b326a04e 100644 --- a/servers/slapd/schema_init.c +++ b/servers/slapd/schema_init.c @@ -222,21 +222,23 @@ static int certificateListValidate( Syntax *syntax, struct berval *in ) if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX; ber_skip_data( ber, len ); tag = ber_skip_tag( ber, &len ); /* thisUpdate */ - /* NOTE: in the certificates I'm playing with, the time is UTC. - * maybe the tag is different from 0x17U for generalizedTime? */ - if ( tag != 0x17U ) return LDAP_INVALID_SYNTAX; + /* Time is a CHOICE { UTCTime, GeneralizedTime } */ + if ( tag != 0x17U && tag != 0x18U ) return LDAP_INVALID_SYNTAX; ber_skip_data( ber, len ); /* Optional nextUpdate */ tag = ber_skip_tag( ber, &len ); - if ( tag == 0x17U ) { + if ( tag == 0x17U || tag == 0x18U ) { ber_skip_data( ber, len ); tag = ber_skip_tag( ber, &len ); } - /* Optional revokedCertificates */ + /* revokedCertificates - Sequence of Sequence, Optional */ if ( tag == LBER_SEQUENCE ) { - /* Should NOT be empty */ - ber_skip_data( ber, len ); - tag = ber_skip_tag( ber, &len ); + ber_len_t seqlen; + if ( ber_peek_tag( ber, &seqlen ) == LBER_SEQUENCE ) { + /* Should NOT be empty */ + ber_skip_data( ber, len ); + tag = ber_skip_tag( ber, &len ); + } } /* Optional Extensions */ if ( tag == SLAP_X509_OPT_CL_CRLEXTENSIONS ) { /* ? */