X-Git-Url: http://www.project-moonshot.org/gitweb/?p=shibboleth%2Fcpp-xmltooling.git;a=blobdiff_plain;f=xmltooling%2Fsecurity%2Fimpl%2FPKIXPathValidator.cpp;fp=xmltooling%2Fsecurity%2Fimpl%2FPKIXPathValidator.cpp;h=ce8d8942dda6999d93d0157c0a161f4eff35ee20;hp=9a11070770d7561d47a4c6622e530b1df4ac8a22;hb=30a436426f6fe4dd9f9657d131d09853fbd7b217;hpb=ed8a88a560d5076dcdf70f01c4d5c8581bfb75bc

diff --git a/xmltooling/security/impl/PKIXPathValidator.cpp b/xmltooling/security/impl/PKIXPathValidator.cpp
index 9a11070..ce8d894 100644
--- a/xmltooling/security/impl/PKIXPathValidator.cpp
+++ b/xmltooling/security/impl/PKIXPathValidator.cpp
@@ -338,7 +338,7 @@ bool PKIXPathValidator::validate(X509* EE, STACK_OF(X509)* untrusted, const Path
         // (subsequent calls will fail with OpenSSL 1.0.1p / 1.0.2d or later).
         X509_STORE_CTX_cleanup(&ctx);
 
-    	// When we add CRLs, we have to be sure the nextUpdate hasn't passed, because OpenSSL won't accept
+        // When we add CRLs, we have to be sure the nextUpdate hasn't passed, because OpenSSL won't accept
         // the CRL in that case. If we end up not adding a CRL for a particular link in the chain, the
         // validation will fail (if the fullChain option was set).
         set<string> crlissuers;
@@ -399,24 +399,24 @@ bool PKIXPathValidator::validate(X509* EE, STACK_OF(X509)* untrusted, const Path
         // Do a second pass verify with CRLs in place. Reinitialize ctx, see
         // https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=aae41f8c54257d9fa6904d3a9aa09c5db6cefd0d
 #if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
-		if (X509_STORE_CTX_init(&ctx,store,EE,untrusted) != 1) {
-			log_openssl();
-			m_log.error("unable to initialize X509_STORE_CTX");
-			ret = 0;
-		}
+        if (X509_STORE_CTX_init(&ctx,store,EE,untrusted) != 1) {
+            log_openssl();
+            m_log.error("unable to initialize X509_STORE_CTX");
+            ret = 0;
+        }
 #else
-    	X509_STORE_CTX_init(&ctx,store,EE,untrusted);
+        X509_STORE_CTX_init(&ctx,store,EE,untrusted);
 #endif
-    	if (ret != 0) {
-			X509_STORE_CTX_trusted_stack(&ctx,CAstack);
-			X509_STORE_CTX_set_depth(&ctx,100);  // already checked above
-			X509_STORE_CTX_set_verify_cb(&ctx,error_callback);
-			if (pkixParams->getRevocationChecking() == PKIXPathValidatorParams::REVOCATION_FULLCHAIN)
-				X509_STORE_CTX_set_flags(&ctx, X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
-			else
-				X509_STORE_CTX_set_flags(&ctx, X509_V_FLAG_CRL_CHECK);
-			ret = X509_verify_cert(&ctx);
-    	}
+        if (ret != 0) {
+            X509_STORE_CTX_trusted_stack(&ctx,CAstack);
+            X509_STORE_CTX_set_depth(&ctx,100);  // already checked above
+            X509_STORE_CTX_set_verify_cb(&ctx,error_callback);
+            if (pkixParams->getRevocationChecking() == PKIXPathValidatorParams::REVOCATION_FULLCHAIN)
+                X509_STORE_CTX_set_flags(&ctx, X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
+            else
+                X509_STORE_CTX_set_flags(&ctx, X509_V_FLAG_CRL_CHECK);
+            ret = X509_verify_cert(&ctx);
+        }
 #else
         m_log.warn("CRL checking is enabled, but OpenSSL version is too old");
         ret = 0;