From: pcarana <pc.moreno2099@gmail.com>
Date: Thu, 8 Aug 2019 21:06:15 +0000 (-0500)
Subject: Fix #13, reload stack to retry manifest validation
X-Git-Tag: v1.0.0^2~10
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=957afc672014585a45ac099de8e7d4d9ad9ff6c7;p=thirdparty%2FFORT-validator.git

Fix #13, reload stack to retry manifest validation
---

diff --git a/src/object/certificate.c b/src/object/certificate.c
index 4e983296..f0606d1b 100644
--- a/src/object/certificate.c
+++ b/src/object/certificate.c
@@ -1472,13 +1472,6 @@ certificate_traverse(struct rpp *rpp_parent, struct rpki_uri *cert_uri)
 	if (error)
 		goto revert_uri_and_refs;
 
-	/* -- Validate the manifest (@mft) pointed by the certificate -- */
-	error = x509stack_push(validation_certstack(state), cert_uri, cert,
-	    policy, IS_TA);
-	if (error)
-		goto revert_uri_and_refs;
-	cert = NULL; /* Ownership stolen */
-
 	/*
 	 * RFC 6481 section 5: "when the repository publication point contents
 	 * are updated, a repository operator cannot assure RPs that the
@@ -1490,6 +1483,16 @@ certificate_traverse(struct rpp *rpp_parent, struct rpki_uri *cert_uri)
 	 */
 	mft_retry = true;
 	do {
+		/* Validate the manifest (@mft) pointed by the certificate */
+		error = x509stack_push(validation_certstack(state), cert_uri,
+		    cert, policy, IS_TA);
+		if (error) {
+			if (!mft_retry)
+				uri_refput(mft);
+			goto revert_uri_and_refs;
+		}
+		cert = NULL; /* Ownership stolen */
+
 		error = handle_manifest(mft, &pp);
 		if (!mft_retry)
 			uri_refput(mft);
@@ -1501,6 +1504,13 @@ certificate_traverse(struct rpp *rpp_parent, struct rpki_uri *cert_uri)
 		error = download_files(caRepository, false, true);
 		if (error)
 			break;
+
+		/* Cancel stack, reload certificate (no need to revalidate) */
+		x509stack_cancel(validation_certstack(state));
+		error = certificate_load(cert_uri, &cert);
+		if (error) {
+			goto revert_uri_and_refs;
+		}
 		uri_refget(mft);
 		mft_retry = false;
 	} while (true);