diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-02-17 10:06:58 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-02-17 10:41:33 +0100 |
commit | 93467cf4a2852eea0941ce79df8d667f7349b753 (patch) | |
tree | 969b957159088d69aa4ab23578c03306dc62f50c /lib/x509/x509_write.c | |
parent | c7e029cbffcfe061e6dd75fd76d9d4970cd6a521 (diff) | |
download | gnutls-93467cf4a2852eea0941ce79df8d667f7349b753.tar.gz |
gnutls_x509_crt_sign2: refuse to sign invalid X.509 certificates
That is, do not sign X.509 certificates which have fields that
shouldn't be present on their corresponding version.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat (limited to 'lib/x509/x509_write.c')
-rw-r--r-- | lib/x509/x509_write.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/lib/x509/x509_write.c b/lib/x509/x509_write.c index 3e466bd102..5a4c4de327 100644 --- a/lib/x509/x509_write.c +++ b/lib/x509/x509_write.c @@ -1746,6 +1746,12 @@ gnutls_x509_crt_privkey_sign(gnutls_x509_crt_t crt, */ disable_optional_stuff(crt); + result = _gnutls_check_cert_sanity(crt); + if (result < 0) { + gnutls_assert(); + return result; + } + result = _gnutls_x509_pkix_sign(crt->cert, "tbsCertificate", dig, issuer, issuer_key); if (result < 0) { |