diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-12-09 16:45:19 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2016-12-31 12:37:36 +0100 |
commit | d194a1c70218a34301b7b4bef8f0664c92c56cf9 (patch) | |
tree | 8facb8a90d67ec41e9d1b0a1f8c6e12f8355caab | |
parent | 613d44c1fb13914b300e2f0df76d73e5a6fe1989 (diff) | |
download | gnutls-d194a1c70218a34301b7b4bef8f0664c92c56cf9.tar.gz |
pkcs11 verification: ensure that an issuer we retrieve is not blacklisttmp-gnutls_3_3_x-blacklisted-issuer-fix
It may happen in p11-kit trust module that a trusted certificate is
both in the trusted set, and the blacklisted set. To avoid accepting
a certificate when in both sets, we always check whether a trusted
issuer certificate is in the blacklisted set.
-rw-r--r-- | lib/x509/verify.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/lib/x509/verify.c b/lib/x509/verify.c index 2bbb788ec4..05f4b5c041 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -1166,6 +1166,17 @@ _gnutls_pkcs11_verify_crt_status(const char* url, goto cleanup; } + /* check if the raw issuer is blacklisted (it can happen if + * the issuer is both in the trusted list and the blacklisted) + */ + if (gnutls_pkcs11_crt_is_known (url, issuer, + GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE| + GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED) != 0) { + status |= GNUTLS_CERT_INVALID; + status |= GNUTLS_CERT_SIGNER_NOT_FOUND; /* if the signer is revoked - it is as if it doesn't exist */ + goto cleanup; + } + if (purpose != NULL) { ret = _gnutls_check_key_purpose(issuer, purpose); if (ret != 1) { |