diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2014-04-03 17:27:13 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2014-04-03 17:32:07 +0200 |
commit | 72a7b8e63f76c7f2faf482bdbf4e740b82a1fae9 (patch) | |
tree | ae86d267eef1912a388c69096e1080dc9e6c1889 /lib/x509/verify-high.c | |
parent | 7b3b7eefeb2bf14f4d5ca2545be61fc3d59754db (diff) | |
download | gnutls-72a7b8e63f76c7f2faf482bdbf4e740b82a1fae9.tar.gz |
When verifying check for the same certificate in the trusted list, not only the issuer
When the certificate list verifying ends in a non self-signed certificate,
and the self-signed isn't in our trusted list, make sure that we search
for the non-self-signed in our list as well. This affects,
gnutls_x509_trust_list_verify_crt() and makes its results identical to
gnutls_x509_crt_list_verify().
Diffstat (limited to 'lib/x509/verify-high.c')
-rw-r--r-- | lib/x509/verify-high.c | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c index 13395abd77..17f50a84c6 100644 --- a/lib/x509/verify-high.c +++ b/lib/x509/verify-high.c @@ -741,6 +741,29 @@ gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list, list-> node[hash].trusted_ca_size, flags, func); + +#define LAST_DN cert_list[cert_list_size-1]->raw_dn +#define LAST_IDN cert_list[cert_list_size-1]->raw_issuer_dn + + if ((*voutput) & GNUTLS_CERT_SIGNER_NOT_FOUND && + (LAST_DN.size != LAST_IDN.size || + memcmp(LAST_DN.data, LAST_IDN.data, LAST_IDN.size) != 0)) { + + /* if we couldn't find the issuer, try to see if the last + * certificate is in the trusted list and try to verify against + * (if it is not self signed) */ + hash = + hash_pjw_bare(cert_list[cert_list_size - 1]->raw_dn. + data, cert_list[cert_list_size - 1]->raw_dn.size); + hash %= list->size; + + *voutput = + _gnutls_verify_crt_status(cert_list, cert_list_size, + list->node[hash].trusted_cas, + list-> + node[hash].trusted_ca_size, + flags, func); + } } if (*voutput != 0 || (flags & GNUTLS_VERIFY_DISABLE_CRL_CHECKS)) |