diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2017-12-30 19:57:08 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2017-12-30 19:57:11 +0100 |
commit | 32b56287cc9d07dfbbc2ee21b70a8fbe1f2d9f2f (patch) | |
tree | 0b7d61531258e5f1d1b4b11bf4bfd2317f2ff42c | |
parent | 3d8f3da8c74d93ac8e867426024c4a8590332023 (diff) | |
download | gnutls-32b56287cc9d07dfbbc2ee21b70a8fbe1f2d9f2f.tar.gz |
x509/verify: when verifying against a self signed certificate ignore issuer
That is, ignore issuer when checking the issuer's parameters strength. That
resolves the issue of marking self-signed certificates as with insecure
parameters during verification.
Resolves #347
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-rw-r--r-- | lib/x509/verify.c | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/lib/x509/verify.c b/lib/x509/verify.c index 26b1ab3f44..a59e637642 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -431,11 +431,13 @@ unsigned _gnutls_is_broken_sig_allowed(const gnutls_sign_entry_st *se, unsigned _gnutls_debug_log(#level": certificate's security level is unacceptable\n"); \ return gnutls_assert_val(0); \ } \ - sp = gnutls_pk_bits_to_sec_param(issuer_pkalg, issuer_bits); \ - if (sp < level) { \ - _gnutls_cert_log("issuer", issuer); \ - _gnutls_debug_log(#level": certificate's issuer security level is unacceptable\n"); \ - return gnutls_assert_val(0); \ + if (issuer) { \ + sp = gnutls_pk_bits_to_sec_param(issuer_pkalg, issuer_bits); \ + if (sp < level) { \ + _gnutls_cert_log("issuer", issuer); \ + _gnutls_debug_log(#level": certificate's issuer security level is unacceptable\n"); \ + return gnutls_assert_val(0); \ + } \ } \ break; |