Added gnutls_x509_crt_check_email(), gnutls_openpgp_crt_check_email() and GNUTLS_DT_RFC822NAME

1 files changed, 12 insertions, 1 deletions

diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
index 6e3a4be20e..2729976bbe 100644
--- a/lib/x509/verify-high.c
+++ b/lib/x509/verify-high.c
@@ -1106,7 +1106,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
 	unsigned int i;
 	uint32_t hash;
 	gnutls_x509_crt_t sorted[DEFAULT_MAX_VERIFY_DEPTH];
-	const char *hostname = NULL, *purpose = NULL;
+	const char *hostname = NULL, *purpose = NULL, *email = NULL;
 	unsigned hostname_size = 0;
 
 	if (cert_list == NULL || cert_list_size < 1)
@@ -1118,6 +1118,10 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
 			if (data[i].size > 0) {
 				hostname_size = data[i].size;
 			}
+			if (email != NULL) return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+		} else if (data[i].type == GNUTLS_DT_RFC822NAME) {
+			email = (void*)data[i].data;
+			if (hostname != NULL) return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
 		} else if (data[i].type == GNUTLS_DT_KEY_PURPOSE_OID) {
 			purpose = (void*)data[i].data;
 		}
@@ -1220,6 +1224,13 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
 			*voutput |= GNUTLS_CERT_UNEXPECTED_OWNER|GNUTLS_CERT_INVALID;
 	}
 
+	if (email) {
+		ret =
+		    gnutls_x509_crt_check_email(cert_list[0], email, 0);
+		if (ret == 0)
+			*voutput |= GNUTLS_CERT_UNEXPECTED_OWNER|GNUTLS_CERT_INVALID;
+	}
+
 	/* CRL checks follow */
 
 	if (*voutput != 0 || (flags & GNUTLS_VERIFY_DISABLE_CRL_CHECKS))