Use the GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE to ensure that only trusted modules are used.

Conflicts:
	lib/x509/verify.c

1 files changed, 2 insertions, 19 deletions

diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index b916ee51de..ffa450a9ac 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -730,25 +730,6 @@ _gnutls_pkcs11_verify_certificate(const char* url,
 	unsigned int status = 0, i;
 	gnutls_x509_crt_t issuer = NULL;
 	gnutls_datum_t raw_issuer = {NULL, 0};
-	unsigned int is_token_ok = 0;
-	size_t t;
-
-	t = sizeof(is_token_ok);
-	ret = gnutls_pkcs11_token_get_info(url, GNUTLS_PKCS11_TOKEN_TRUSTED_UINT,
-		&is_token_ok, &t);
-	if (ret < 0) {
-		_gnutls_debug_log("Cannot allow verifying against a token it's trust status cannot be determined\n");
-		gnutls_assert();
-		status |= GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND;
-		return status;
-	}
-
-	if (is_token_ok == 0) {
-		_gnutls_debug_log("Cannot allow verifying against a token that is not a trust module\n");
-		gnutls_assert();
-		status |= GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND;
-		return status;
-	}
 
 	if (clist_size > 1) {
 		/* Check if the last certificate in the path is self signed.
@@ -779,6 +760,7 @@ _gnutls_pkcs11_verify_certificate(const char* url,
 
 	for (; i < clist_size; i++) {
 		if (_gnutls_pkcs11_crt_is_known (url, certificate_list[i], 
+			GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE|
 			GNUTLS_PKCS11_OBJ_FLAG_COMPARE|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED) != 0) {
 			clist_size = i;
 			break;
@@ -795,6 +777,7 @@ _gnutls_pkcs11_verify_certificate(const char* url,
 	/* check for blacklists */
 	for (i = 0; i < clist_size; i++) {
 		if (_gnutls_pkcs11_crt_is_known (url, certificate_list[i], 
+			GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE|
 			GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED) != 0) {
 			status |= GNUTLS_CERT_INVALID;
 			status |= GNUTLS_CERT_REVOKED;