x509: trigger fallback verification path when cert is expired

gnutls_x509_trust_list_verify_crt2 use the macro SIGNER_OLD_OR_UNKNOWN
to trigger the fallback verification path if the signer of the last
certificate is not in the trust store.  Previously, it doesn't take
into account of the condition where the certificate is expired.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

1 files changed, 7 insertions, 5 deletions

diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
index b1421ef17a..40638ad3aa 100644
--- a/lib/x509/verify-high.c
+++ b/lib/x509/verify-high.c
@@ -1192,11 +1192,13 @@ gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list,
 
 #define LAST_DN cert_list[cert_list_size-1]->raw_dn
 #define LAST_IDN cert_list[cert_list_size-1]->raw_issuer_dn
-/* This macro is introduced to detect a verification output
- * which indicates an unknown signer, or a signer which uses
- * an insecure algorithm (e.g., sha1), something that indicates
- * a superseded signer */
-#define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) || (output & GNUTLS_CERT_INSECURE_ALGORITHM))
+/* This macro is introduced to detect a verification output which
+ * indicates an unknown signer, a signer which uses an insecure
+ * algorithm (e.g., sha1), a signer has expired, or something that
+ * indicates a superseded signer */
+#define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) || \
+				       (output & GNUTLS_CERT_EXPIRED) || \
+				       (output & GNUTLS_CERT_INSECURE_ALGORITHM))
 #define SIGNER_WAS_KNOWN(output) (!(output & GNUTLS_CERT_SIGNER_NOT_FOUND))
 
 /**