certtool: introduce key purpose checks in p7 direct verification

diff --git a/src/certtool.c b/src/certtool.c
index fd6b7106de46ff696a27780c6c54352eeb22e806..09ba675dabb75d8e0fcffae279283b701e5c927b 100644 (file)
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -2912,9 +2912,16 @@ void verify_pkcs7(common_info_st * cinfo, const char *purpose, unsigned display_
                if (HAVE_OPT(VERIFY_ALLOW_BROKEN))
                        flags |= GNUTLS_VERIFY_ALLOW_BROKEN;
 
-               if (signer)
+               if (signer) {
                        ret = gnutls_pkcs7_verify_direct(pkcs7, signer, i, detached.data!=NULL?&detached:NULL, flags);
-               else
+
+                       if (ret >= 0 && purpose) {
+                               unsigned res = gnutls_x509_crt_check_key_purpose(signer, purpose, 0);
+                               if (res == 0)
+                                       ret = GNUTLS_E_CONSTRAINT_ERROR;
+                       }
+
+               } else
                        ret = gnutls_pkcs7_verify(pkcs7, tl, vdata, vdata_size, i, detached.data!=NULL?&detached:NULL, flags);
                if (ret < 0) {
                        fprintf(stderr, "\tSignature status: verification failed: %s\n", gnutls_strerror(ret));