automata-network · preston4896 · Feb 10, 2025 · Feb 10, 2025 · Feb 12, 2025 · Feb 12, 2025
diff --git a/.gitmodules b/.gitmodules
@@ -10,4 +10,4 @@
 [submodule "lib/automata-on-chain-pccs"]
 	path = lib/automata-on-chain-pccs
 	url = https://github.com/automata-network/automata-on-chain-pccs
-	branch = main
+	branch = DEV-3784
diff --git a/contracts/bases/X509ChainBase.sol b/contracts/bases/X509ChainBase.sol
@@ -69,17 +69,18 @@
         bool verified;
         bool certChainCanBeTrusted;
         for (uint256 i = 0; i < n; i++) {
+            X509CertObj memory current = certs[i];
             X509CertObj memory issuer;
+            bytes memory crl;
             if (i == n - 1) {
                 // rootCA
-                issuer = certs[i];
+                issuer = current;
             } else {
                 issuer = certs[i + 1];
-                bytes memory crl;
                 if (i == n - 2) {
                     (, crl) = pccsRouter.getCrl(CA.ROOT);
                 } else if (i == 0) {
-                    string memory issuerName = certs[i].issuerCommonName;
+                    string memory issuerName = current.issuerCommonName;
                     if (LibString.eq(issuerName, PLATFORM_ISSUER_NAME)) {
                         (, crl) = pccsRouter.getCrl(CA.PLATFORM);
                     } else if (LibString.eq(issuerName, PROCESSOR_ISSUER_NAME)) {
@@ -88,21 +89,32 @@
                         return false;
                     }
                 }
-                if (crl.length > 0) {
-                    certRevoked = crlHelper.serialNumberIsRevoked(certs[i].serialNumber, crl);
-                }
-                if (certRevoked) {
-                    break;
+            }
+
+            bytes memory issuerSubjectKeyIdentifier = issuer.subjectKeyIdentifier;
+
+            if (crl.length > 0) {
+                // check issuer subject key identifier against crl authority key identifier
+                bytes memory crlAuthorityKeyIdentifier = crlHelper.getAuthorityKeyIdentifier(crl);
+                if (!BytesUtils.compareBytes(issuerSubjectKeyIdentifier, crlAuthorityKeyIdentifier)) {
+                    return false;
                 }
+                certRevoked = crlHelper.serialNumberIsRevoked(current.serialNumber, crl);
+            }
+            if (certRevoked) {
+                break;
             }
 
-            certNotExpired = block.timestamp > certs[i].validityNotBefore && block.timestamp < certs[i].validityNotAfter;
+            certNotExpired = block.timestamp > current.validityNotBefore && block.timestamp < current.validityNotAfter;
             if (!certNotExpired) {
                 break;
             }
 
             {
-                verified = ecdsaVerify(sha256(certs[i].tbs), certs[i].signature, issuer.subjectPublicKey);
+                bytes memory currentAuthorityKeyIdentifier = current.authorityKeyIdentifier;
+                if (BytesUtils.compareBytes(issuerSubjectKeyIdentifier, currentAuthorityKeyIdentifier)) {
+                     verified = ecdsaVerify(sha256(current.tbs), current.signature, issuer.subjectPublicKey);
+                }
                 if (!verified) {
                     break;
                 }

diff --git a/lib/automata-on-chain-pccs b/lib/automata-on-chain-pccs
+131 −26		src/helpers/X509CRLHelper.sol
+126 −1		src/helpers/X509Helper.sol
+83 −0		test/misc/X509HelperTest.t.sol