diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2014-04-03 17:43:03 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2014-04-03 17:43:03 +0200 |
commit | c0db5c4a90b4310b02aa682083e5b24a5d34a93c (patch) | |
tree | 00a9c2ba44e0b49c97dea13cabbc9f5415f81e06 /lib | |
parent | cbc63f9bbc67d0fda09a2159399fe00e67fabdc8 (diff) | |
download | gnutls-c0db5c4a90b4310b02aa682083e5b24a5d34a93c.tar.gz |
When verifying check for the same certificate in the trusted list, not only the issuer
When the certificate list verifying ends in a non self-signed certificate,
and the self-signed isn't in our trusted list, make sure that we search
for the non-self-signed in our list as well. This affects,
gnutls_x509_trust_list_verify_crt() and makes its results identical to
gnutls_x509_crt_list_verify().
Diffstat (limited to 'lib')
-rw-r--r-- | lib/x509/verify-high.c | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c index 2f10b8c29c..e020bacfe5 100644 --- a/lib/x509/verify-high.c +++ b/lib/x509/verify-high.c @@ -644,6 +644,21 @@ gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list, trusted_ca_size, flags, func); +#define LAST_DN cert_list[cert_list_size-1]->raw_dn +#define LAST_IDN cert_list[cert_list_size-1]->raw_issuer_dn + + if ((*verify) & GNUTLS_CERT_SIGNER_NOT_FOUND && + (LAST_DN.size != LAST_IDN.size || memcmp(LAST_DN.data, LAST_IDN.data, LAST_IDN.size) != 0)) + { + hash = hash_pjw_bare(cert_list[cert_list_size - 1]->raw_dn.data, cert_list[cert_list_size - 1]->raw_dn.size); + hash %= list->size; + *verify = _gnutls_x509_verify_certificate(cert_list, cert_list_size, + list->node[hash].trusted_cas, + list->node[hash]. + trusted_ca_size, flags, + func); + } + if (*verify != 0 || (flags & GNUTLS_VERIFY_DISABLE_CRL_CHECKS)) return 0; |