From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Fri, 5 Dec 2014 09:04:50 +0000 (+0100)
Subject: when the trusted list contains a non-CA certificate warn via the audit log
X-Git-Tag: gnutls_3_4_0~497
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=97caacfcd98132c25424ef4e2d8907915d090f37;p=thirdparty%2Fgnutls.git

when the trusted list contains a non-CA certificate warn via the audit log
---

diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
index b8e8be4606..7eae299c32 100644
--- a/lib/x509/verify-high.c
+++ b/lib/x509/verify-high.c
@@ -315,6 +315,18 @@ gnutls_x509_trust_list_add_cas(gnutls_x509_trust_list_t list,
 			return i;
 		}
 
+		if (gnutls_x509_crt_get_version(clist[i]) >= 3 &&
+		    gnutls_x509_crt_get_ca_status(clist[i], NULL) <= 0) {
+			gnutls_datum_t dn;
+			gnutls_assert();
+			if (gnutls_x509_crt_get_dn2(clist[i], &dn) >= 0) {
+				_gnutls_audit_log(NULL,
+					  "There was a non-CA certificate in the trusted list: %s.\n",
+					  dn.data);
+				gnutls_free(dn.data);
+			}
+		}
+
 		list->node[hash].trusted_cas[list->node[hash].
 					     trusted_ca_size] = clist[i];
 		list->node[hash].trusted_ca_size++;