diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-05-24 18:20:32 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-05-24 18:21:47 +0200 |
commit | 1b6cfff1c9aad0207498f11d372b8fc3d542cab2 (patch) | |
tree | 34b5a2302b26544a7ee735fe05580352fe735189 | |
parent | 77670476814c078bbad56ce8772b192a3b5736b6 (diff) | |
download | gnutls-1b6cfff1c9aad0207498f11d372b8fc3d542cab2.tar.gz |
When checking for an issuer check for a match in the key identifiers.
-rw-r--r-- | NEWS | 9 | ||||
-rw-r--r-- | lib/x509/verify.c | 40 |
2 files changed, 44 insertions, 5 deletions
@@ -3,6 +3,14 @@ Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software Foundation, Inc. See the end for copying conditions. +Version 2.12.20 (unreleased) + +** libgnutls: Check key identifiers when checking for an issuer. + +** API and ABI modifications: +No changes since last version. + + Version 2.12.19 (released 2012-05-05) ** libgnutls: When decoding a PKCS #11 URL the pin-source field @@ -15,7 +23,6 @@ SRP key exchange public keys. ** minitasn1: Upgraded to libtasn1 version 2.13 (pre-release). ** API and ABI modifications: - No changes since last version. diff --git a/lib/x509/verify.c b/lib/x509/verify.c index 97606bead5..2efcebfcbe 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -227,9 +227,12 @@ cleanup: static int is_issuer (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer_cert) { - gnutls_datum_t dn1 = { NULL, 0 }, dn2 = - { - NULL, 0}; + gnutls_datum_t dn1 = { NULL, 0 }, + dn2 = { NULL, 0}; + uint8_t id1[512]; + uint8_t id2[512]; + size_t id1_size; + size_t id2_size; int ret; ret = gnutls_x509_crt_get_raw_issuer_dn (cert, &dn1); @@ -247,6 +250,34 @@ is_issuer (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer_cert) } ret = _gnutls_x509_compare_raw_dn (&dn1, &dn2); + + if (ret != 0) + { + /* check if the authority key identifier matches the subject key identifier + * of the isser */ + id1_size = sizeof(id1); + + ret = gnutls_x509_crt_get_authority_key_id(cert, id1, &id1_size, NULL); + if (ret < 0) + { + ret = 1; + goto cleanup; + } + + id2_size = sizeof(id2); + ret = gnutls_x509_crt_get_subject_key_id(issuer_cert, id2, &id2_size, NULL); + if (ret < 0) + { + ret = 1; + gnutls_assert(); + goto cleanup; + } + + if (id1_size == id2_size && memcmp(id1, id2, id1_size) == 0) + ret = 1; + else + ret = 0; + } cleanup: _gnutls_free_datum (&dn1); @@ -416,7 +447,8 @@ cleanup: * @issuer: is the certificate of a possible issuer * * This function will check if the given certificate was issued by the - * given issuer. + * given issuer. It checks the DN fields and the authority + * key identifier and subject key identifier fields match. * * Returns: It will return true (1) if the given certificate is issued * by the given issuer, and false (0) if not. A negative value is |