From: Nikos Mavrogiannopoulos Date: Tue, 7 Oct 2014 14:20:18 +0000 (+0200) Subject: pkcs11: always check for a valid subjectKeyIdentifier match X-Git-Tag: gnutls_3_4_0~827 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=cd8e1185d31eedde226fd54d78e45c93bfb17159;p=thirdparty%2Fgnutls.git pkcs11: always check for a valid subjectKeyIdentifier match That way, expired certificates can co-exist with their replacements. --- diff --git a/lib/pkcs11.c b/lib/pkcs11.c index cef0700dfd..13dee0aae0 100644 --- a/lib/pkcs11.c +++ b/lib/pkcs11.c @@ -3124,6 +3124,7 @@ find_cert_cb(struct pkcs11_session_info *sinfo, gnutls_datum_t data = {NULL, 0}; unsigned tries, i, finalized; ck_bool_t trusted = 1; + time_t now; if (info == NULL) { gnutls_assert(); @@ -3149,6 +3150,7 @@ find_cert_cb(struct pkcs11_session_info *sinfo, else tries = 1; + now = gnutls_time(0); for (i = 0; i < tries; i++) { a_vals = 0; @@ -3247,8 +3249,8 @@ find_cert_cb(struct pkcs11_session_info *sinfo, gnutls_datum_t id = { a[1].value, a[1].value_len }; - if (i > 0 && priv->key_id.size > 0 && - !_gnutls_check_subject_key_id2(&priv->key_id, &data)) { + if (priv->key_id.size > 0 && + !_gnutls_check_valid_key_id(&priv->key_id, &data, now)) { gnutls_assert(); continue; } diff --git a/lib/x509/common.c b/lib/x509/common.c index a86bbe1292..616228f152 100644 --- a/lib/x509/common.c +++ b/lib/x509/common.c @@ -1952,8 +1952,8 @@ int x509_raw_crt_to_raw_pubkey(const gnutls_datum_t * cert, } bool -_gnutls_check_subject_key_id2(gnutls_datum_t *key_id, - gnutls_datum_t *certbin) +_gnutls_check_valid_key_id(gnutls_datum_t *key_id, + gnutls_datum_t *certbin, time_t now) { uint8_t id[MAX_KEY_ID_SIZE]; size_t id_size; @@ -1970,6 +1970,13 @@ _gnutls_check_subject_key_id2(gnutls_datum_t *key_id, goto out; } + if (now > gnutls_x509_crt_get_expiration_time(cert) && + now < gnutls_x509_crt_get_activation_time(cert)) { + /* don't bother, certificate is not yet activated or expired */ + gnutls_assert(); + goto out; + } + if (gnutls_x509_crt_get_subject_key_id(cert, id, &id_size, NULL) < 0) { gnutls_assert(); goto out; diff --git a/lib/x509/common.h b/lib/x509/common.h index 6af4c410b1..bf12fc7c3e 100644 --- a/lib/x509/common.h +++ b/lib/x509/common.h @@ -192,8 +192,8 @@ _gnutls_check_if_same_key2(gnutls_x509_crt_t cert1, gnutls_datum_t *cert2bin); bool -_gnutls_check_subject_key_id2(gnutls_datum_t *key_id, - gnutls_datum_t *certbin); +_gnutls_check_valid_key_id(gnutls_datum_t *key_id, + gnutls_datum_t *certbin, time_t now); bool _gnutls_check_if_same_cert(gnutls_x509_crt_t cert1,