return 0;
}
+ /* Attempt searching using the issuer DN + serial number */
serial_size = sizeof(serial) - sizeof(tag);
ret =
gnutls_x509_crt_get_serial(cert, serial+sizeof(tag), &serial_size);
ret =
_pkcs11_traverse_tokens(find_cert, &priv, info,
NULL, pkcs11_obj_flags_to_int(flags));
+ if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
+ /* attempt searching with the subject DN only */
+ memset(&priv, 0, sizeof(priv));
+ priv.crt = cert;
+
+ priv.dn.data = cert->raw_dn.data;
+ priv.dn.size = cert->raw_dn.size;
+ ret =
+ _pkcs11_traverse_tokens(find_cert, &priv, info,
+ NULL, pkcs11_obj_flags_to_int(flags));
+ }
if (ret < 0) {
gnutls_assert();
ret = 0;
&raw_issuer, GNUTLS_X509_FMT_DER, GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE);
if (ret < 0) {
gnutls_assert();
+ if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE && clist_size > 2) {
+ /* check if the last certificate in the chain is present
+ * in our trusted list, and if yes, verify against it. */
+ ret = gnutls_pkcs11_crt_is_known(url, certificate_list[clist_size - 1],
+ GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED|GNUTLS_PKCS11_OBJ_FLAG_COMPARE);
+ if (ret != 0) {
+ return _gnutls_verify_crt_status(certificate_list, clist_size,
+ &certificate_list[clist_size - 1], 1, flags, func);
+ }
+ }
status |= GNUTLS_CERT_INVALID;
status |= GNUTLS_CERT_SIGNER_NOT_FOUND;
goto cleanup;