when the trusted list contains a non-CA certificate warn via the audit log

author Nikos Mavrogiannopoulos <nmav@redhat.com>

Fri, 5 Dec 2014 09:04:50 +0000 (10:04 +0100)

committer Nikos Mavrogiannopoulos <nmav@redhat.com>

Fri, 5 Dec 2014 09:04:50 +0000 (10:04 +0100)
author Nikos Mavrogiannopoulos <nmav@redhat.com>
Fri, 5 Dec 2014 09:04:50 +0000 (10:04 +0100)
committer Nikos Mavrogiannopoulos <nmav@redhat.com>
Fri, 5 Dec 2014 09:04:50 +0000 (10:04 +0100)
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c

index b8e8be460687a13c74e2f296cb133b2096659bee..7eae299c32ea0ddfaaa4080a0f06a2dcecec28c2 100644 (file)
--- a/lib/x509/verify-high.c
+++ b/lib/x509/verify-high.c
@@ -315,6 +315,18 @@ gnutls_x509_trust_list_add_cas(gnutls_x509_trust_list_t list,
                         return i;
                 }
  
+               if (gnutls_x509_crt_get_version(clist[i]) >= 3 &&
+                   gnutls_x509_crt_get_ca_status(clist[i], NULL) <= 0) {
+                       gnutls_datum_t dn;
+                       gnutls_assert();
+                       if (gnutls_x509_crt_get_dn2(clist[i], &dn) >= 0) {
+                               _gnutls_audit_log(NULL,
+                                         "There was a non-CA certificate in the trusted list: %s.\n",
+                                         dn.data);
+                               gnutls_free(dn.data);
+                       }
+               }
+
                 list->node[hash].trusted_cas[list->node[hash].
                                              trusted_ca_size] = clist[i];
                 list->node[hash].trusted_ca_size++;
author	Nikos Mavrogiannopoulos <nmav@redhat.com>
	Fri, 5 Dec 2014 09:04:50 +0000 (10:04 +0100)
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>
	Fri, 5 Dec 2014 09:04:50 +0000 (10:04 +0100)