]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
pkcs11: always check for a valid subjectKeyIdentifier match
authorNikos Mavrogiannopoulos <nmav@redhat.com>
Tue, 7 Oct 2014 14:20:18 +0000 (16:20 +0200)
committerNikos Mavrogiannopoulos <nmav@redhat.com>
Tue, 7 Oct 2014 14:20:23 +0000 (16:20 +0200)
That way, expired certificates can co-exist with their replacements.

lib/pkcs11.c
lib/x509/common.c
lib/x509/common.h

index cef0700dfde41b18dbf47e1b89be7a63b49558de..13dee0aae0b513ac1c4b9f3f812a72ceb092c0ac 100644 (file)
@@ -3124,6 +3124,7 @@ find_cert_cb(struct pkcs11_session_info *sinfo,
        gnutls_datum_t data = {NULL, 0};
        unsigned tries, i, finalized;
        ck_bool_t trusted = 1;
+       time_t now;
 
        if (info == NULL) {
                gnutls_assert();
@@ -3149,6 +3150,7 @@ find_cert_cb(struct pkcs11_session_info *sinfo,
        else
                tries = 1;
 
+       now = gnutls_time(0);
        for (i = 0; i < tries; i++) {
 
                a_vals = 0;
@@ -3247,8 +3249,8 @@ find_cert_cb(struct pkcs11_session_info *sinfo,
                                gnutls_datum_t id =
                                    { a[1].value, a[1].value_len };
 
-                               if (i > 0 && priv->key_id.size > 0 &&
-                                   !_gnutls_check_subject_key_id2(&priv->key_id, &data)) {
+                               if (priv->key_id.size > 0 &&
+                                   !_gnutls_check_valid_key_id(&priv->key_id, &data, now)) {
                                        gnutls_assert();
                                        continue;
                                }
index a86bbe12922297bfd0a8e1d9b31d118b4659ac33..616228f1520ad4ba9e5ff97165351c29f412dc90 100644 (file)
@@ -1952,8 +1952,8 @@ int x509_raw_crt_to_raw_pubkey(const gnutls_datum_t * cert,
 }
 
 bool
-_gnutls_check_subject_key_id2(gnutls_datum_t *key_id,
-                             gnutls_datum_t *certbin)
+_gnutls_check_valid_key_id(gnutls_datum_t *key_id,
+                           gnutls_datum_t *certbin, time_t now)
 {
        uint8_t id[MAX_KEY_ID_SIZE];
        size_t id_size;
@@ -1970,6 +1970,13 @@ _gnutls_check_subject_key_id2(gnutls_datum_t *key_id,
                goto out;
        }
 
+       if (now > gnutls_x509_crt_get_expiration_time(cert) &&
+           now < gnutls_x509_crt_get_activation_time(cert)) {
+               /* don't bother, certificate is not yet activated or expired */
+               gnutls_assert();
+               goto out;
+       }
+
        if (gnutls_x509_crt_get_subject_key_id(cert, id, &id_size, NULL) < 0) {
                gnutls_assert();
                goto out;
index 6af4c410b16afce1c4e023d113f3c1e724ce5d49..bf12fc7c3ea1b3fe9ab2dc84ad157999b32f9197 100644 (file)
@@ -192,8 +192,8 @@ _gnutls_check_if_same_key2(gnutls_x509_crt_t cert1,
                           gnutls_datum_t *cert2bin);
 
 bool
-_gnutls_check_subject_key_id2(gnutls_datum_t *key_id,
-                             gnutls_datum_t *certbin);
+_gnutls_check_valid_key_id(gnutls_datum_t *key_id,
+                          gnutls_datum_t *certbin, time_t now);
 
 bool
 _gnutls_check_if_same_cert(gnutls_x509_crt_t cert1,