diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-07-13 18:02:13 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-07-13 18:03:45 +0200 |
commit | a1b44f677aff32d6cfc7f494a47b8de86c81fb21 (patch) | |
tree | aff90d0bcf0ce309d4684ac00ef528add361eef9 | |
parent | 14c40c59ac375185f8f54aba49931f918832105e (diff) | |
download | gnutls-a1b44f677aff32d6cfc7f494a47b8de86c81fb21.tar.gz |
When verifying a certificate chain make sure it is chain.
If the chain is interrupted (wrong) at some point then truncate,
only try to verify the correct part. Patch by David Woodhouse.
-rw-r--r-- | lib/x509/verify-high.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c index b9572b2f02..3b3c02ceb3 100644 --- a/lib/x509/verify-high.c +++ b/lib/x509/verify-high.c @@ -350,6 +350,18 @@ static int shorten_clist(gnutls_x509_trust_list_t list, uint32_t hash; gnutls_datum_t dn; + /* Start by truncating any disjoint list of certificates. For + * example, if the server presented a chain A->B->C->X->Y->Z + * where X is *not* actually the issuer of C, truncate at C. + */ + for(i=1;i<clist_size;i++) { + if (!gnutls_x509_crt_check_issuer(certificate_list[i-1], + certificate_list[i])) { + gnutls_assert(); + clist_size = i; + } + } + if (clist_size > 1) { /* Check if the last certificate in the path is self signed. * In that case ignore it (a certificate is trusted only if it |