When verifying check for the same certificate in the trusted list, not only the issuer

When the certificate list verifying ends in a non self-signed certificate,
and the self-signed isn't in our trusted list, make sure that we search
for the non-self-signed in our list as well. This affects,
gnutls_x509_trust_list_verify_crt() and makes its results identical to
gnutls_x509_crt_list_verify().

1 files changed, 23 insertions, 0 deletions

diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
index 13395abd77..17f50a84c6 100644
--- a/lib/x509/verify-high.c
+++ b/lib/x509/verify-high.c
@@ -741,6 +741,29 @@ gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list,
 						    list->
 						    node[hash].trusted_ca_size,
 						    flags, func);
+
+#define LAST_DN cert_list[cert_list_size-1]->raw_dn
+#define LAST_IDN cert_list[cert_list_size-1]->raw_issuer_dn
+
+		if ((*voutput) & GNUTLS_CERT_SIGNER_NOT_FOUND &&
+			(LAST_DN.size != LAST_IDN.size ||
+			 memcmp(LAST_DN.data, LAST_IDN.data, LAST_IDN.size) != 0)) {
+
+			/* if we couldn't find the issuer, try to see if the last
+			 * certificate is in the trusted list and try to verify against
+			 * (if it is not self signed) */
+			hash =
+			    hash_pjw_bare(cert_list[cert_list_size - 1]->raw_dn.
+				  data, cert_list[cert_list_size - 1]->raw_dn.size);
+			hash %= list->size;
+
+			*voutput =
+			    _gnutls_verify_crt_status(cert_list, cert_list_size,
+						    list->node[hash].trusted_cas,
+						    list->
+						    node[hash].trusted_ca_size,
+						    flags, func);
+		}
 	}
 
 	if (*voutput != 0 || (flags & GNUTLS_VERIFY_DISABLE_CRL_CHECKS))