Fix code for checking expired certificates on load

Fixes CID 1306915, which noticed that the check was dead.
This commit is contained in:
Nick Mathewson 2015-09-01 09:47:51 -04:00
parent 53c99cce5e
commit f64ef65b9d

View File

@ -482,10 +482,12 @@ ed_key_init_from_file(const char *fname, uint32_t flags,
tor_log(severity, LD_OR, "Cert was for wrong key"); tor_log(severity, LD_OR, "Cert was for wrong key");
bad_cert = 1; bad_cert = 1;
} else if (signing_key && } else if (signing_key &&
tor_cert_checksig(cert, &signing_key->pubkey, now) < 0 && tor_cert_checksig(cert, &signing_key->pubkey, now) < 0) {
(signing_key || cert->cert_expired)) {
tor_log(severity, LD_OR, "Can't check certificate"); tor_log(severity, LD_OR, "Can't check certificate");
bad_cert = 1; bad_cert = 1;
} else if (cert->cert_expired) {
tor_log(severity, LD_OR, "Certificate is expired");
bad_cert = 1;
} else if (signing_key && cert->signing_key_included && } else if (signing_key && cert->signing_key_included &&
! ed25519_pubkey_eq(&signing_key->pubkey, &cert->signing_key)) { ! ed25519_pubkey_eq(&signing_key->pubkey, &cert->signing_key)) {
tor_log(severity, LD_OR, "Certificate signed by unexpectd key!"); tor_log(severity, LD_OR, "Certificate signed by unexpectd key!");