From: Nikos Mavrogiannopoulos Date: Wed, 17 Sep 2014 11:26:25 +0000 (+0200) Subject: pkcs11: when a signer isn't found in PKCS #11 force the verification of the chain X-Git-Tag: gnutls_3_4_0~923 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3cd0eff4b2cb0b6f8ccca68d1d47564fee7b8a06;p=thirdparty%2Fgnutls.git pkcs11: when a signer isn't found in PKCS #11 force the verification of the chain That allows obtaining any additional flags from the chain such as insecure algorithms or expirations. --- diff --git a/lib/x509/verify.c b/lib/x509/verify.c index e71832d9ed..22902206f0 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -1144,6 +1144,11 @@ _gnutls_pkcs11_verify_crt_status(const char* url, status |= GNUTLS_CERT_INVALID; status |= GNUTLS_CERT_SIGNER_NOT_FOUND; + /* verify the certificate list against 0 trusted CAs in order + * to get, any additional flags from the certificate list (e.g., + * insecure algorithms or expired */ + status |= _gnutls_verify_crt_status(certificate_list, clist_size, + NULL, 0, flags, func); goto cleanup; }