]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
When verifying, check for the same certificate in the pkcs11 trusted list, not only...
authorNikos Mavrogiannopoulos <nmav@redhat.com>
Fri, 4 Apr 2014 13:07:44 +0000 (15:07 +0200)
committerNikos Mavrogiannopoulos <nmav@redhat.com>
Fri, 4 Apr 2014 14:20:40 +0000 (16:20 +0200)
When the certificate list verifying ends in a non self-signed certificate,
and the self-signed isn't in our pkcs11 trusted list, make sure that we search
for the non-self-signed as well. This affects, gnutls_x509_trust_list_verify_crt()
when used with a PKCS #11 trust module.

lib/pkcs11.c
lib/x509/verify.c

index 67d1af54981e95bc94e9a1d1b2326960a32626e3..d3a4f28b8aa85820472396f34f866b9a2ad7eab1 100644 (file)
@@ -3340,6 +3340,7 @@ int gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
                return 0;
        }
 
+       /* Attempt searching using the issuer DN + serial number */
        serial_size = sizeof(serial) - sizeof(tag);
        ret =
            gnutls_x509_crt_get_serial(cert, serial+sizeof(tag), &serial_size);
@@ -3376,6 +3377,17 @@ int gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
        ret =
            _pkcs11_traverse_tokens(find_cert, &priv, info,
                                    NULL, pkcs11_obj_flags_to_int(flags));
+       if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
+               /* attempt searching with the subject DN only */
+               memset(&priv, 0, sizeof(priv));
+               priv.crt = cert;
+
+               priv.dn.data = cert->raw_dn.data;
+               priv.dn.size = cert->raw_dn.size;
+               ret =
+                   _pkcs11_traverse_tokens(find_cert, &priv, info,
+                                   NULL, pkcs11_obj_flags_to_int(flags));
+       }
        if (ret < 0) {
                gnutls_assert();
                ret = 0;
index 7d87f98024e22618627eaf9cdd79b513ad7fb2f5..8cbce4ef5efc69f30668c895d5b6f276c91cab29 100644 (file)
@@ -1038,6 +1038,16 @@ _gnutls_pkcs11_verify_crt_status(const char* url,
                &raw_issuer, GNUTLS_X509_FMT_DER, GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE);
        if (ret < 0) {
                gnutls_assert();
+               if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE && clist_size > 2) {
+                       /* check if the last certificate in the chain is present
+                        * in our trusted list, and if yes, verify against it. */
+                       ret = gnutls_pkcs11_crt_is_known(url, certificate_list[clist_size - 1],
+                               GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED|GNUTLS_PKCS11_OBJ_FLAG_COMPARE);
+                       if (ret != 0) {
+                               return _gnutls_verify_crt_status(certificate_list, clist_size,
+                                       &certificate_list[clist_size - 1], 1, flags, func);
+                       }
+               }
                status |= GNUTLS_CERT_INVALID;
                status |= GNUTLS_CERT_SIGNER_NOT_FOUND;
                goto cleanup;