pkcs11 verification: ensure that an issuer we retrieve is not blacklisttmp-fix-pkcs11-verification

It may happen in p11-kit trust module that a trusted certificate is
both in the trusted set, and the blacklisted set. To avoid accepting
a certificate when in both sets, we always check whether a trusted
issuer certificate is in the blacklisted set.

1 files changed, 11 insertions, 0 deletions

diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index 84746d4e85..3159e70f6f 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -1169,6 +1169,17 @@ _gnutls_pkcs11_verify_crt_status(const char* url,
 		goto cleanup;
 	}
 
+	/* check if the raw issuer is blacklisted (it can happen if
+	 * the issuer is both in the trusted list and the blacklisted)
+	 */
+	if (gnutls_pkcs11_crt_is_known (url, issuer,
+		GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE|
+		GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED) != 0) {
+		status |= GNUTLS_CERT_INVALID;
+		status |= GNUTLS_CERT_SIGNER_NOT_FOUND; /* if the signer is revoked - it is as if it doesn't exist */
+		goto cleanup;
+	}
+
 	/* security modules that provide trust, bundle all certificates (of all purposes)
 	 * together. In software that doesn't specify any purpose assume the default to
 	 * be www-server. */