gnutls_x509_crt_sign2: refuse to sign invalid X.509 certificates

That is, do not sign X.509 certificates which have fields that shouldn't be present on their corresponding version. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
author: Nikos Mavrogiannopoulos <nmav@redhat.com> 2017-02-17 10:06:58 +0100
committer: Nikos Mavrogiannopoulos <nmav@redhat.com> 2017-02-17 10:41:33 +0100
commit: 93467cf4a2852eea0941ce79df8d667f7349b753 (patch)
tree: 969b957159088d69aa4ab23578c03306dc62f50c /lib/x509/x509_write.c
parent: c7e029cbffcfe061e6dd75fd76d9d4970cd6a521 (diff)
download: gnutls-93467cf4a2852eea0941ce79df8d667f7349b753.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/lib/x509/x509_write.c b/lib/x509/x509_write.c
index 3e466bd102..5a4c4de327 100644
--- a/lib/x509/x509_write.c
+++ b/lib/x509/x509_write.c
@@ -1746,6 +1746,12 @@ gnutls_x509_crt_privkey_sign(gnutls_x509_crt_t crt,
 	 */
 	disable_optional_stuff(crt);
 
+	result = _gnutls_check_cert_sanity(crt);
+	if (result < 0) {
+		gnutls_assert();
+		return result;
+	}
+
 	result = _gnutls_x509_pkix_sign(crt->cert, "tbsCertificate",
 					dig, issuer, issuer_key);
 	if (result < 0) {
author	Nikos Mavrogiannopoulos <nmav@redhat.com>	2017-02-17 10:06:58 +0100
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>	2017-02-17 10:41:33 +0100
commit	93467cf4a2852eea0941ce79df8d667f7349b753 (patch)
tree	969b957159088d69aa4ab23578c03306dc62f50c /lib/x509/x509_write.c
parent	c7e029cbffcfe061e6dd75fd76d9d4970cd6a521 (diff)
download	gnutls-93467cf4a2852eea0941ce79df8d667f7349b753.tar.gz