feat(plugins): Disable revocation lists checks in ua_pki_openssl.c if…

… zero crl are loaded Avoid breakage for users of the 1.3 release family but still log a warning.
jpfr · Nov 23, 2024 · 6814248 · 6814248
1 parent efbaac0
commit 6814248
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/plugins/crypto/openssl/ua_pki_openssl.c b/plugins/crypto/openssl/ua_pki_openssl.c
@@ -503,6 +503,13 @@ openSSLCheckRevoked(CertContext *ctx, X509 *cert) {
     const X509_NAME *in = X509_get_issuer_name(cert);
     int size = sk_X509_CRL_num(ctx->skCrls);
 
+    if(size == 0) {
+        UA_LOG_WARNING(UA_Log_Stdout, UA_LOGCATEGORY_SECURITYPOLICY,
+                       "Zero revocation lists have been loaded. "
+                       "This seems intentional - omitting the check.");
+        return UA_STATUSCODE_GOOD;
+    }
+
     /* Loop over the crl and match the Issuer Name */
     UA_StatusCode res = UA_STATUSCODE_BADCERTIFICATEREVOCATIONUNKNOWN;
     for(int i = 0; i < size; i++) {