]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
Move down revocation check to revert code to how it looked before.
authorSimon Josefsson <simon@josefsson.org>
Fri, 6 Feb 2009 19:13:45 +0000 (20:13 +0100)
committerSimon Josefsson <simon@josefsson.org>
Fri, 6 Feb 2009 19:13:45 +0000 (20:13 +0100)
The idea is that if you have marked a cert as trusted, you may want to trust
it even though some authority has revoked it.  This changes back how
this code used to work.

lib/x509/verify.c

index ee66060227256922e6ecc1bdba412a9495cbcdee..af97f4b0a3f0625506de3b9dabe39ca5f88ab153 100644 (file)
@@ -415,22 +415,6 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list,
   int i = 0, ret;
   unsigned int status = 0, output;
 
-  /* Check for revoked certificates in the chain
-   */
-#ifdef ENABLE_PKI
-  for (i = 0; i < clist_size; i++)
-    {
-      ret = gnutls_x509_crt_check_revocation (certificate_list[i],
-                                             CRLs, crls_size);
-      if (ret == 1)
-       {                       /* revoked */
-         status |= GNUTLS_CERT_REVOKED;
-         status |= GNUTLS_CERT_INVALID;
-         return status;
-       }
-    }
-#endif
-
   if (clist_size > 1)
     {
       /* Check if the last certificate in the path is self signed.
@@ -493,6 +477,22 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list,
       return status;
     }
 
+  /* Check for revoked certificates in the chain
+   */
+#ifdef ENABLE_PKI
+  for (i = 0; i < clist_size; i++)
+    {
+      ret = gnutls_x509_crt_check_revocation (certificate_list[i],
+                                             CRLs, crls_size);
+      if (ret == 1)
+       {                       /* revoked */
+         status |= GNUTLS_CERT_REVOKED;
+         status |= GNUTLS_CERT_INVALID;
+         return status;
+       }
+    }
+#endif
+
   /* Verify the certificate path (chain)
    */
   for (i = clist_size - 1; i > 0; i--)