diff options
| -rw-r--r-- | lib/x509/verify-high.c | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c index 13395abd77..17f50a84c6 100644 --- a/lib/x509/verify-high.c +++ b/lib/x509/verify-high.c @@ -741,6 +741,29 @@ gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list, list-> node[hash].trusted_ca_size, flags, func); + +#define LAST_DN cert_list[cert_list_size-1]->raw_dn +#define LAST_IDN cert_list[cert_list_size-1]->raw_issuer_dn + + if ((*voutput) & GNUTLS_CERT_SIGNER_NOT_FOUND && + (LAST_DN.size != LAST_IDN.size || + memcmp(LAST_DN.data, LAST_IDN.data, LAST_IDN.size) != 0)) { + + /* if we couldn't find the issuer, try to see if the last + * certificate is in the trusted list and try to verify against + * (if it is not self signed) */ + hash = + hash_pjw_bare(cert_list[cert_list_size - 1]->raw_dn. + data, cert_list[cert_list_size - 1]->raw_dn.size); + hash %= list->size; + + *voutput = + _gnutls_verify_crt_status(cert_list, cert_list_size, + list->node[hash].trusted_cas, + list-> + node[hash].trusted_ca_size, + flags, func); + } } if (*voutput != 0 || (flags & GNUTLS_VERIFY_DISABLE_CRL_CHECKS)) |