x509/verify: when verifying against a self signed certificate ignore issuer

That is, ignore issuer when checking the issuer's parameters strength. That
resolves the issue of marking self-signed certificates as with insecure
parameters during verification.

Resolves #347

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index 26b1ab3f44db8e210d274d1df1455eb75dce2858..a59e6376421d6c15415b80f974712cc360b24043 100644 (file)
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -431,11 +431,13 @@ unsigned _gnutls_is_broken_sig_allowed(const gnutls_sign_entry_st *se, unsigned
                        _gnutls_debug_log(#level": certificate's security level is unacceptable\n"); \
                        return gnutls_assert_val(0); \
                } \
-               sp = gnutls_pk_bits_to_sec_param(issuer_pkalg, issuer_bits); \
-               if (sp < level) { \
-                       _gnutls_cert_log("issuer", issuer); \
-                       _gnutls_debug_log(#level": certificate's issuer security level is unacceptable\n"); \
-                       return gnutls_assert_val(0); \
+               if (issuer) { \
+                       sp = gnutls_pk_bits_to_sec_param(issuer_pkalg, issuer_bits); \
+                       if (sp < level) { \
+                               _gnutls_cert_log("issuer", issuer); \
+                               _gnutls_debug_log(#level": certificate's issuer security level is unacceptable\n"); \
+                               return gnutls_assert_val(0); \
+                       } \
                } \
                break;