PKIX: Allow a V0 TA to appear at end of the cert path.

author: Peter Dettman <peter.dettman@bouncycastle.org> 2018-04-17 13:32:41 +0700
committer: Peter Dettman <peter.dettman@bouncycastle.org> 2018-04-17 13:32:41 +0700
commit: c1fe1982e3a7d0748e98ec4e4c54d098e74fc658 (patch)
tree: 00cc1ede3d38d257525270495a054d26cabe723d /crypto/src/pkix/PkixCertPathValidator.cs
parent: PKIX: explicit validation of version number and extension repeats (diff)
download: BouncyCastle.NET-ed25519-c1fe1982e3a7d0748e98ec4e4c54d098e74fc658.tar.xz
1 files changed, 4 insertions, 0 deletions
diff --git a/crypto/src/pkix/PkixCertPathValidator.cs b/crypto/src/pkix/PkixCertPathValidator.cs
index 1d7c00d7d..64039f9f1 100644
--- a/crypto/src/pkix/PkixCertPathValidator.cs
+++ b/crypto/src/pkix/PkixCertPathValidator.cs
@@ -289,6 +289,10 @@ namespace Org.BouncyCastle.Pkix
                 {
                     if (cert != null && cert.Version == 1)
                     {
+                        // we've found the trust anchor at the top of the path, ignore and keep going
+                        if ((i == 1) && cert.Equals(trust.TrustedCert))
+                            continue;
+
                         throw new PkixCertPathValidatorException(
 							"Version 1 certificates can't be used as CA ones.", null, certPath, index);
                     }
author	Peter Dettman <peter.dettman@bouncycastle.org>	2018-04-17 13:32:41 +0700
committer	Peter Dettman <peter.dettman@bouncycastle.org>	2018-04-17 13:32:41 +0700
commit	c1fe1982e3a7d0748e98ec4e4c54d098e74fc658 (patch)
tree	00cc1ede3d38d257525270495a054d26cabe723d /crypto/src/pkix/PkixCertPathValidator.cs
parent	PKIX: explicit validation of version number and extension repeats (diff)
download	BouncyCastle.NET-ed25519-c1fe1982e3a7d0748e98ec4e4c54d098e74fc658.tar.xz