From 93467cf4a2852eea0941ce79df8d667f7349b753 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Fri, 17 Feb 2017 10:06:58 +0100
Subject: gnutls_x509_crt_sign2: refuse to sign invalid X.509 certificates

That is, do not sign X.509 certificates which have fields that
shouldn't be present on their corresponding version.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
---
 lib/x509/x509_write.c | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'lib/x509/x509_write.c')

diff --git a/lib/x509/x509_write.c b/lib/x509/x509_write.c
index 3e466bd102..5a4c4de327 100644
--- a/lib/x509/x509_write.c
+++ b/lib/x509/x509_write.c
@@ -1746,6 +1746,12 @@ gnutls_x509_crt_privkey_sign(gnutls_x509_crt_t crt,
 	 */
 	disable_optional_stuff(crt);
 
+	result = _gnutls_check_cert_sanity(crt);
+	if (result < 0) {
+		gnutls_assert();
+		return result;
+	}
+
 	result = _gnutls_x509_pkix_sign(crt->cert, "tbsCertificate",
 					dig, issuer, issuer_key);
 	if (result < 0) {
-- 
cgit v1.2.1