From: Nikos Mavrogiannopoulos Date: Thu, 3 Apr 2014 15:27:13 +0000 (+0200) Subject: When verifying check for the same certificate in the trusted list, not only the issuer X-Git-Tag: gnutls_3_3_0~58 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=72a7b8e63f76c7f2faf482bdbf4e740b82a1fae9;p=thirdparty%2Fgnutls.git When verifying check for the same certificate in the trusted list, not only the issuer When the certificate list verifying ends in a non self-signed certificate, and the self-signed isn't in our trusted list, make sure that we search for the non-self-signed in our list as well. This affects, gnutls_x509_trust_list_verify_crt() and makes its results identical to gnutls_x509_crt_list_verify(). --- diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c index 13395abd77..17f50a84c6 100644 --- a/lib/x509/verify-high.c +++ b/lib/x509/verify-high.c @@ -741,6 +741,29 @@ gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list, list-> node[hash].trusted_ca_size, flags, func); + +#define LAST_DN cert_list[cert_list_size-1]->raw_dn +#define LAST_IDN cert_list[cert_list_size-1]->raw_issuer_dn + + if ((*voutput) & GNUTLS_CERT_SIGNER_NOT_FOUND && + (LAST_DN.size != LAST_IDN.size || + memcmp(LAST_DN.data, LAST_IDN.data, LAST_IDN.size) != 0)) { + + /* if we couldn't find the issuer, try to see if the last + * certificate is in the trusted list and try to verify against + * (if it is not self signed) */ + hash = + hash_pjw_bare(cert_list[cert_list_size - 1]->raw_dn. + data, cert_list[cert_list_size - 1]->raw_dn.size); + hash %= list->size; + + *voutput = + _gnutls_verify_crt_status(cert_list, cert_list_size, + list->node[hash].trusted_cas, + list-> + node[hash].trusted_ca_size, + flags, func); + } } if (*voutput != 0 || (flags & GNUTLS_VERIFY_DISABLE_CRL_CHECKS))