certtool: introduce key purpose checks in p7 direct verification

author: Nikos Mavrogiannopoulos <nmav@redhat.com> 2016-10-18 10:01:49 +0200
committer: Nikos Mavrogiannopoulos <nmav@redhat.com> 2016-10-18 12:59:14 +0200
commit: 110b6d3111bf41377a9bb9f6fdbf2249eff84cea (patch)
tree: fdcd1ef58fb4767126b92c3391fe020c78863262
parent: 9174d813f24358fd1e135ec3721d65fda9c650d5 (diff)
download: gnutls-110b6d3111bf41377a9bb9f6fdbf2249eff84cea.tar.gz
1 files changed, 9 insertions, 2 deletions
diff --git a/src/certtool.c b/src/certtool.c
index fd6b7106de..09ba675dab 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -2912,9 +2912,16 @@ void verify_pkcs7(common_info_st * cinfo, const char *purpose, unsigned display_
 		if (HAVE_OPT(VERIFY_ALLOW_BROKEN))
 			flags |= GNUTLS_VERIFY_ALLOW_BROKEN;
 
-		if (signer)
+		if (signer) {
 			ret = gnutls_pkcs7_verify_direct(pkcs7, signer, i, detached.data!=NULL?&detached:NULL, flags);
-		else
+
+			if (ret >= 0 && purpose) {
+				unsigned res = gnutls_x509_crt_check_key_purpose(signer, purpose, 0);
+				if (res == 0)
+					ret = GNUTLS_E_CONSTRAINT_ERROR;
+			}
+
+		} else
 			ret = gnutls_pkcs7_verify(pkcs7, tl, vdata, vdata_size, i, detached.data!=NULL?&detached:NULL, flags);
 		if (ret < 0) {
 			fprintf(stderr, "\tSignature status: verification failed: %s\n", gnutls_strerror(ret));
author	Nikos Mavrogiannopoulos <nmav@redhat.com>	2016-10-18 10:01:49 +0200
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>	2016-10-18 12:59:14 +0200
commit	110b6d3111bf41377a9bb9f6fdbf2249eff84cea (patch)
tree	fdcd1ef58fb4767126b92c3391fe020c78863262
parent	9174d813f24358fd1e135ec3721d65fda9c650d5 (diff)
download	gnutls-110b6d3111bf41377a9bb9f6fdbf2249eff84cea.tar.gz