1 files changed, 20 insertions, 0 deletions

diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index f4384c4aa5..52ccedbe31 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -1230,6 +1230,7 @@ _gnutls_pkcs11_verify_crt_status(gnutls_x509_trust_list_t tlist,
 	gnutls_x509_crt_t issuer = NULL;
 	gnutls_datum_t raw_issuer = { NULL, 0 };
 	time_t now = gnutls_time(0);
+	time_t distrust_after;
 
 	if (clist_size > 1) {
 		/* Check if the last certificate in the path is self signed.
@@ -1376,6 +1377,25 @@ _gnutls_pkcs11_verify_crt_status(gnutls_x509_trust_list_t tlist,
 		goto cleanup;
 	}
 
+	/* check if the raw issuer is assigned with a time-based
+	 * distrust and the certificate is issued after that period
+	 */
+	distrust_after =
+	    _gnutls_pkcs11_get_distrust_after(url, issuer,
+					      purpose == NULL ?
+					      GNUTLS_KP_TLS_WWW_SERVER :
+					      purpose,
+					      GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED);
+	if (distrust_after != (time_t) - 1
+	    && distrust_after <
+	    gnutls_x509_crt_get_activation_time(certificate_list
+						[clist_size - 1])) {
+		gnutls_assert();
+		status |= GNUTLS_CERT_INVALID;
+		status |= GNUTLS_CERT_SIGNER_NOT_FOUND;
+		goto cleanup;
+	}
+
 	/* check if the raw issuer is distrusted (it can happen if
 	 * the issuer is both in the trusted list and the distrusted)
 	 */