]> git.saurik.com Git - apple/security.git/blobdiff - Security/libsecurity_apple_x509_tp/lib/TPDatabase.cpp
projects / apple / security.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Security-57031.30.12.tar.gz
[apple/security.git] / Security / libsecurity_apple_x509_tp / lib / TPDatabase.cpp
diff --git a/Security/libsecurity_apple_x509_tp/lib/TPDatabase.cpp b/Security/libsecurity_apple_x509_tp/lib/TPDatabase.cpp
index 583b7c10a95c7c90fefc01437d9fe9ccc96fda2c..5ba632f959498ad730dad61b40b75a9f5b99c4a1 100644 (file)
--- a/Security/libsecurity_apple_x509_tp/lib/TPDatabase.cpp
+++ b/Security/libsecurity_apple_x509_tp/lib/TPDatabase.cpp
@@ -96,7 +96,8 @@ TPCertInfo *tpDbFindIssuerCert(
        const TPClItemInfo              *subjectItem,
        const CSSM_DL_DB_LIST   *dbList,
        const char                              *verifyTime,            // may be NULL
-       bool                                    &partialIssuerKey)      // RETURNED
+       bool                                    &partialIssuerKey,      // RETURNED
+    TPCertInfo              *oldRoot)
 {
        StLock<Mutex> _(SecTrustKeychainsGetMutex());
 
@@ -187,11 +188,16 @@ TPCertInfo *tpDbFindIssuerCert(
                                }
                        }
                        switch(crtn) {
-                               case CSSM_OK:
-                                       break;
                                case CSSMERR_CSP_APPLE_PUBLIC_KEY_INCOMPLETE:
                                        partialIssuerKey = true;
                                        break;
+                case CSSM_OK:
+                    if((oldRoot == NULL) ||
+                       !tp_CompareCerts(issuerCert->itemData(), oldRoot->itemData())) {
+                        /* We found a new root cert which does not match the old one */
+                        break;
+                    }
+                    /* else fall through to search for a different one */
                                default:
                                        if(issuerCert != NULL) {
                                                /* either holding onto this cert, or done with it. */
@@ -265,8 +271,12 @@ TPCertInfo *tpDbFindIssuerCert(
                                                foundIt = false;
                                                switch(crtn) {
                                                        case CSSM_OK:
-                                                               foundIt = true;
-                                                               break;
+                                /* duplicate check, again */
+                                if((oldRoot == NULL) ||
+                                   !tp_CompareCerts(issuerCert->itemData(), oldRoot->itemData())) {
+                                    foundIt = true;
+                                }
+                                break;
                                                        case CSSMERR_CSP_APPLE_PUBLIC_KEY_INCOMPLETE:
                                                                partialIssuerKey = true;
                                                                foundIt = true;
mirror of Security