Perform time check when removing a certificate in _gnutls_pkcs11_verify_crt_status()

This brings the function in par with _gnutls_verify_crt_status().
author: Nikos Mavrogiannopoulos <nmav@redhat.com> 2014-04-04 15:35:48 +0200
committer: Nikos Mavrogiannopoulos <nmav@redhat.com> 2014-04-04 16:25:10 +0200
commit: d8148dd0278af3290633fee7b1dbbd9350e85463 (patch)
tree: 7947968b624d3a09bb3d61e4470d4701e98be9ac
parent: 8dacee4bdd5ae712adb1cdb314c53d0bb0d6aa6a (diff)
download: gnutls-d8148dd0278af3290633fee7b1dbbd9350e85463.tar.gz
1 files changed, 20 insertions, 4 deletions
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index be9491ab6a..af12c8a797 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -643,10 +643,8 @@ _gnutls_x509_verify_certificate(const gnutls_x509_crt_t * certificate_list,
 				/* explicity time check for trusted CA that we remove from
 				 * list. GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS
 				 */
-				if (!
-				    (flags &
-				     GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS)
-&& !(flags & GNUTLS_VERIFY_DISABLE_TIME_CHECKS)) {
+				if (!(flags & GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS) &&
+					!(flags & GNUTLS_VERIFY_DISABLE_TIME_CHECKS)) {
 					status |=
 					    check_time(trusted_cas[j],
 						       now);
@@ -743,6 +741,7 @@ _gnutls_pkcs11_verify_certificate(const char* url,
 	unsigned int status = 0, i;
 	gnutls_x509_crt_t issuer = NULL;
 	gnutls_datum_t raw_issuer = {NULL, 0};
+	time_t now = gnutls_time(0);
 
 	if (clist_size > 1) {
 		/* Check if the last certificate in the path is self signed.
@@ -775,6 +774,21 @@ _gnutls_pkcs11_verify_certificate(const char* url,
 		if (_gnutls_pkcs11_crt_is_known (url, certificate_list[i], 
 			GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE|
 			GNUTLS_PKCS11_OBJ_FLAG_COMPARE|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED) != 0) {
+
+			if (!(flags & GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS) &&
+				!(flags & GNUTLS_VERIFY_DISABLE_TIME_CHECKS)) {
+				status |=
+				    check_time_status(certificate_list[i], now);
+				if (status != 0) {
+					if (func)
+						func(certificate_list[i], certificate_list[i], NULL, status);
+					return status;
+				}
+			}
+			if (func)
+				func(certificate_list[i],
+				     certificate_list[i], NULL, status);
+
 			clist_size = i;
 			break;
 		}
@@ -806,6 +820,7 @@ _gnutls_pkcs11_verify_certificate(const char* url,
 	if (ret < 0) {
 		gnutls_assert();
 		if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE && clist_size > 2) {
+
 			/* check if the last certificate in the chain is present
 			 * in our trusted list, and if yes, verify against it. */
 			ret = gnutls_pkcs11_crt_is_known(url, certificate_list[clist_size - 1],
@@ -815,6 +830,7 @@ _gnutls_pkcs11_verify_certificate(const char* url,
 					&certificate_list[clist_size - 1], 1, flags, func);
 			}
 		}
+
 		status |= GNUTLS_CERT_INVALID;
 		status |= GNUTLS_CERT_SIGNER_NOT_FOUND;
 		return status;
author	Nikos Mavrogiannopoulos <nmav@redhat.com>	2014-04-04 15:35:48 +0200
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>	2014-04-04 16:25:10 +0200
commit	d8148dd0278af3290633fee7b1dbbd9350e85463 (patch)
tree	7947968b624d3a09bb3d61e4470d4701e98be9ac
parent	8dacee4bdd5ae712adb1cdb314c53d0bb0d6aa6a (diff)
download	gnutls-d8148dd0278af3290633fee7b1dbbd9350e85463.tar.gz