1 files changed, 17 insertions, 2 deletions

diff --git a/src/libstrongswan/crypto/crl.c b/src/libstrongswan/crypto/crl.c
index b4ae37b2e..d52078ea9 100755
--- a/src/libstrongswan/crypto/crl.c
+++ b/src/libstrongswan/crypto/crl.c
@@ -18,6 +18,8 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
+ *
+ * RCSID $Id: crl.c 3300 2007-10-12 21:53:18Z andreas $
  */
 
 #include <sys/stat.h>
@@ -290,7 +292,8 @@ bool parse_x509crl(chunk_t blob, u_int level0, private_crl_t *crl)
 					}
 					else if (extn_oid == OID_AUTHORITY_KEY_ID)
 					{
-						parse_authorityKeyIdentifier(object, level, &crl->authKeyID, &crl->authKeySerialNumber);
+						x509_parse_authorityKeyIdentifier(object, level,
+								&crl->authKeyID, &crl->authKeySerialNumber);
 					}
 					else if (extn_oid == OID_CRL_NUMBER)
 					{
@@ -304,6 +307,11 @@ bool parse_x509crl(chunk_t blob, u_int level0, private_crl_t *crl)
 				break;
 			case CRL_OBJ_ALGORITHM:
 				crl->algorithm = parse_algorithmIdentifier(object, level, NULL);
+				if (crl->algorithm != crl->sigAlg)
+				{
+					DBG1("  signature algorithms do not agree");
+					return FALSE;
+				}
 				break;
 			case CRL_OBJ_SIGNATURE:
 				crl->signature = object;
@@ -374,7 +382,14 @@ static bool is_newer(const private_crl_t *this, const private_crl_t *other)
  */
 static bool verify(const private_crl_t *this, const rsa_public_key_t *signer)
 {
-	return signer->verify_emsa_pkcs1_signature(signer, this->tbsCertList, this->signature) == SUCCESS;
+	hash_algorithm_t algorithm = hasher_algorithm_from_oid(this->algorithm);
+
+	if (algorithm == HASH_UNKNOWN)
+	{
+		DBG1("  unknown signature algorithm");
+		return FALSE;
+	}
+	return signer->verify_emsa_pkcs1_signature(signer, algorithm, this->tbsCertList, this->signature) == SUCCESS;
 }
 
 /**