#define GNUTLS_TL_VERIFY_CRL 1
#define GNUTLS_TL_USE_IN_TLS (1<<1)
#define GNUTLS_TL_NO_DUPLICATES (1<<2)
+#define GNUTLS_TL_NO_DUPLICATE_KEY (1<<3)
int
gnutls_x509_trust_list_add_cas(gnutls_x509_trust_list_t list,
const gnutls_x509_crt_t * clist,
_gnutls_x509_get_raw_field2(ASN1_TYPE c2, gnutls_datum_t * raw,
const char *whom, gnutls_datum_t * dn);
+bool
+_gnutls_check_if_same_key(gnutls_x509_crt_t cert1,
+ gnutls_x509_crt_t cert2,
+ unsigned is_ca);
+
bool
_gnutls_check_if_same_key2(gnutls_x509_crt_t cert1,
gnutls_datum_t *cert2bin);
hash %= list->size;
/* avoid duplicates */
- if (flags & GNUTLS_TL_NO_DUPLICATES) {
+ if (flags & GNUTLS_TL_NO_DUPLICATES || flags & GNUTLS_TL_NO_DUPLICATE_KEY) {
for (j=0;j<list->node[hash].trusted_ca_size;j++) {
- if (_gnutls_check_if_same_cert(list->node[hash].trusted_cas[j], clist[i]) != 0) {
+ if (flags & GNUTLS_TL_NO_DUPLICATES)
+ ret = _gnutls_check_if_same_cert(list->node[hash].trusted_cas[j], clist[i]);
+ else
+ ret = _gnutls_check_if_same_key(list->node[hash].trusted_cas[j], clist[i], 1);
+ if (ret != 0) {
exists = 1;
break;
}
* persistent. It will be deallocated when the trust list is.
*/
ret = gnutls_x509_trust_list_add_trust_mem(list, &der, NULL,
- GNUTLS_X509_FMT_DER, GNUTLS_TL_NO_DUPLICATES, 0);
+ GNUTLS_X509_FMT_DER, GNUTLS_TL_NO_DUPLICATE_KEY, 0);
if (ret < 0)
return gnutls_assert_val(ret);
/* Checks if two certs have the same name and the same key. Return 1 on match.
* If @is_ca is zero then this function is identical to _gnutls_check_if_same_cert()
*/
-static bool
+bool
_gnutls_check_if_same_key(gnutls_x509_crt_t cert1,
gnutls_x509_crt_t cert2,
unsigned is_ca)