]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
pkcs11: when a signer isn't found in PKCS #11 force the verification of the chain
authorNikos Mavrogiannopoulos <nmav@redhat.com>
Wed, 17 Sep 2014 11:26:25 +0000 (13:26 +0200)
committerNikos Mavrogiannopoulos <nmav@redhat.com>
Wed, 17 Sep 2014 11:26:28 +0000 (13:26 +0200)
That allows obtaining any additional flags from the chain such as insecure
algorithms or expirations.

lib/x509/verify.c

index e71832d9edc3fffe38015ae302f74cdef27daebc..22902206f09cf149c036ec3e4804f12cb524d0e5 100644 (file)
@@ -1144,6 +1144,11 @@ _gnutls_pkcs11_verify_crt_status(const char* url,
 
                status |= GNUTLS_CERT_INVALID;
                status |= GNUTLS_CERT_SIGNER_NOT_FOUND;
+               /* verify the certificate list against 0 trusted CAs in order
+                * to get, any additional flags from the certificate list (e.g.,
+                * insecure algorithms or expired */
+               status |= _gnutls_verify_crt_status(certificate_list, clist_size,
+                                                   NULL, 0, flags, func);
                goto cleanup;
        }