diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2017-12-30 19:57:08 +0100 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2018-01-07 10:08:00 +0100 |
| commit | a3fa4a1422943c89c89d3102bce3cac3f00a40b3 (patch) | |
| tree | f1ab760bfc6b385708f77f0e0cda0890830a51c4 | |
| parent | 6c1947bc8ff3dc5633783f6326958beb353861e6 (diff) | |
| download | gnutls-a3fa4a1422943c89c89d3102bce3cac3f00a40b3.tar.gz | |
x509/verify: when verifying against a self signed certificate ignore issuer
That is, ignore issuer when checking the issuer's parameters strength. That
resolves the issue of marking self-signed certificates as with insecure
parameters during verification.
Resolves #347
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
| -rw-r--r-- | lib/x509/verify.c | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/lib/x509/verify.c b/lib/x509/verify.c index 7a922a68b8..b0aec6315e 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -383,11 +383,13 @@ unsigned _gnutls_is_broken_sig_allowed(gnutls_sign_algorithm_t sig, unsigned int _gnutls_debug_log(#level": certificate's security level is unacceptable\n"); \ return gnutls_assert_val(0); \ } \ - sp = gnutls_pk_bits_to_sec_param(issuer_pkalg, issuer_bits); \ - if (sp < level) { \ - _gnutls_cert_log("issuer", issuer); \ - _gnutls_debug_log(#level": certificate's issuer security level is unacceptable\n"); \ - return gnutls_assert_val(0); \ + if (issuer) { \ + sp = gnutls_pk_bits_to_sec_param(issuer_pkalg, issuer_bits); \ + if (sp < level) { \ + _gnutls_cert_log("issuer", issuer); \ + _gnutls_debug_log(#level": certificate's issuer security level is unacceptable\n"); \ + return gnutls_assert_val(0); \ + } \ } \ break; |