]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
When verifying check for the same certificate in the trusted list, not only the issuer
authorNikos Mavrogiannopoulos <nmav@redhat.com>
Thu, 3 Apr 2014 15:27:13 +0000 (17:27 +0200)
committerNikos Mavrogiannopoulos <nmav@redhat.com>
Thu, 3 Apr 2014 15:32:07 +0000 (17:32 +0200)
When the certificate list verifying ends in a non self-signed certificate,
and the self-signed isn't in our trusted list, make sure that we search
for the non-self-signed in our list as well. This affects,
gnutls_x509_trust_list_verify_crt() and makes its results identical to
gnutls_x509_crt_list_verify().

lib/x509/verify-high.c

index 13395abd770aed49c856de678b72b513427c1076..17f50a84c6b4d3ab5c78ab8521455f4d85ac8f96 100644 (file)
@@ -741,6 +741,29 @@ gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list,
                                                    list->
                                                    node[hash].trusted_ca_size,
                                                    flags, func);
+
+#define LAST_DN cert_list[cert_list_size-1]->raw_dn
+#define LAST_IDN cert_list[cert_list_size-1]->raw_issuer_dn
+
+               if ((*voutput) & GNUTLS_CERT_SIGNER_NOT_FOUND &&
+                       (LAST_DN.size != LAST_IDN.size ||
+                        memcmp(LAST_DN.data, LAST_IDN.data, LAST_IDN.size) != 0)) {
+
+                       /* if we couldn't find the issuer, try to see if the last
+                        * certificate is in the trusted list and try to verify against
+                        * (if it is not self signed) */
+                       hash =
+                           hash_pjw_bare(cert_list[cert_list_size - 1]->raw_dn.
+                                 data, cert_list[cert_list_size - 1]->raw_dn.size);
+                       hash %= list->size;
+
+                       *voutput =
+                           _gnutls_verify_crt_status(cert_list, cert_list_size,
+                                                   list->node[hash].trusted_cas,
+                                                   list->
+                                                   node[hash].trusted_ca_size,
+                                                   flags, func);
+               }
        }
 
        if (*voutput != 0 || (flags & GNUTLS_VERIFY_DISABLE_CRL_CHECKS))