diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2014-02-13 09:25:59 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2014-02-13 09:44:53 +0100 |
commit | b404b039fa299d5465ec687205034ad2f33d7af2 (patch) | |
tree | a5a38ba564f88230094d288db9aacd68b7ab16c8 | |
parent | 41c446121dde80ea2190f156b6e344d37b6ffcc4 (diff) | |
download | gnutls-b404b039fa299d5465ec687205034ad2f33d7af2.tar.gz |
Use the GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE to ensure that only trusted modules are used.
Conflicts:
lib/x509/verify.c
-rw-r--r-- | lib/x509/verify.c | 21 |
1 files changed, 2 insertions, 19 deletions
diff --git a/lib/x509/verify.c b/lib/x509/verify.c index b916ee51de..ffa450a9ac 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -730,25 +730,6 @@ _gnutls_pkcs11_verify_certificate(const char* url, unsigned int status = 0, i; gnutls_x509_crt_t issuer = NULL; gnutls_datum_t raw_issuer = {NULL, 0}; - unsigned int is_token_ok = 0; - size_t t; - - t = sizeof(is_token_ok); - ret = gnutls_pkcs11_token_get_info(url, GNUTLS_PKCS11_TOKEN_TRUSTED_UINT, - &is_token_ok, &t); - if (ret < 0) { - _gnutls_debug_log("Cannot allow verifying against a token it's trust status cannot be determined\n"); - gnutls_assert(); - status |= GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND; - return status; - } - - if (is_token_ok == 0) { - _gnutls_debug_log("Cannot allow verifying against a token that is not a trust module\n"); - gnutls_assert(); - status |= GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND; - return status; - } if (clist_size > 1) { /* Check if the last certificate in the path is self signed. @@ -779,6 +760,7 @@ _gnutls_pkcs11_verify_certificate(const char* url, for (; i < clist_size; i++) { if (_gnutls_pkcs11_crt_is_known (url, certificate_list[i], + GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE| GNUTLS_PKCS11_OBJ_FLAG_COMPARE|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED) != 0) { clist_size = i; break; @@ -795,6 +777,7 @@ _gnutls_pkcs11_verify_certificate(const char* url, /* check for blacklists */ for (i = 0; i < clist_size; i++) { if (_gnutls_pkcs11_crt_is_known (url, certificate_list[i], + GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE| GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED) != 0) { status |= GNUTLS_CERT_INVALID; status |= GNUTLS_CERT_REVOKED; |