When verifying check for the same certificate in the trusted list, not only the issuer

When the certificate list verifying ends in a non self-signed certificate,
and the self-signed isn't in our trusted list, make sure that we search
for the non-self-signed in our list as well. This affects,
gnutls_x509_trust_list_verify_crt() and makes its results identical to
gnutls_x509_crt_list_verify().

1 files changed, 15 insertions, 0 deletions

diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
index 2f10b8c29c..e020bacfe5 100644
--- a/lib/x509/verify-high.c
+++ b/lib/x509/verify-high.c
@@ -644,6 +644,21 @@ gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list,
                                               trusted_ca_size, flags,
                                               func);
 
+#define LAST_DN cert_list[cert_list_size-1]->raw_dn
+#define LAST_IDN cert_list[cert_list_size-1]->raw_issuer_dn
+
+    if ((*verify) & GNUTLS_CERT_SIGNER_NOT_FOUND &&
+      (LAST_DN.size != LAST_IDN.size || memcmp(LAST_DN.data, LAST_IDN.data, LAST_IDN.size) != 0)) 
+      {
+        hash = hash_pjw_bare(cert_list[cert_list_size - 1]->raw_dn.data, cert_list[cert_list_size - 1]->raw_dn.size);
+        hash %= list->size;
+        *verify = _gnutls_x509_verify_certificate(cert_list, cert_list_size,
+                                              list->node[hash].trusted_cas,
+                                              list->node[hash].
+                                              trusted_ca_size, flags,
+                                              func);
+      }
+
     if (*verify != 0 || (flags & GNUTLS_VERIFY_DISABLE_CRL_CHECKS))
         return 0;