From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Tue, 18 Oct 2016 08:01:49 +0000 (+0200)
Subject: certtool: introduce key purpose checks in p7 direct verification
X-Git-Tag: gnutls_3_5_6~55
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=110b6d3111bf41377a9bb9f6fdbf2249eff84cea;p=thirdparty%2Fgnutls.git

certtool: introduce key purpose checks in p7 direct verification
---

diff --git a/src/certtool.c b/src/certtool.c
index fd6b7106de..09ba675dab 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -2912,9 +2912,16 @@ void verify_pkcs7(common_info_st * cinfo, const char *purpose, unsigned display_
 		if (HAVE_OPT(VERIFY_ALLOW_BROKEN))
 			flags |= GNUTLS_VERIFY_ALLOW_BROKEN;
 
-		if (signer)
+		if (signer) {
 			ret = gnutls_pkcs7_verify_direct(pkcs7, signer, i, detached.data!=NULL?&detached:NULL, flags);
-		else
+
+			if (ret >= 0 && purpose) {
+				unsigned res = gnutls_x509_crt_check_key_purpose(signer, purpose, 0);
+				if (res == 0)
+					ret = GNUTLS_E_CONSTRAINT_ERROR;
+			}
+
+		} else
 			ret = gnutls_pkcs7_verify(pkcs7, tl, vdata, vdata_size, i, detached.data!=NULL?&detached:NULL, flags);
 		if (ret < 0) {
 			fprintf(stderr, "\tSignature status: verification failed: %s\n", gnutls_strerror(ret));