diff options
Diffstat (limited to 'src/certtool.c')
| -rw-r--r-- | src/certtool.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/src/certtool.c b/src/certtool.c index fd6b7106de..09ba675dab 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -2912,9 +2912,16 @@ void verify_pkcs7(common_info_st * cinfo, const char *purpose, unsigned display_ if (HAVE_OPT(VERIFY_ALLOW_BROKEN)) flags |= GNUTLS_VERIFY_ALLOW_BROKEN; - if (signer) + if (signer) { ret = gnutls_pkcs7_verify_direct(pkcs7, signer, i, detached.data!=NULL?&detached:NULL, flags); - else + + if (ret >= 0 && purpose) { + unsigned res = gnutls_x509_crt_check_key_purpose(signer, purpose, 0); + if (res == 0) + ret = GNUTLS_E_CONSTRAINT_ERROR; + } + + } else ret = gnutls_pkcs7_verify(pkcs7, tl, vdata, vdata_size, i, detached.data!=NULL?&detached:NULL, flags); if (ret < 0) { fprintf(stderr, "\tSignature status: verification failed: %s\n", gnutls_strerror(ret)); |