diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2014-02-03 14:54:38 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2014-02-03 15:06:57 +0100 |
commit | bf88726c841417b99c1f6abeaaa4636c020760c2 (patch) | |
tree | f28e4d51e31e9aecf20902d105d7ec18afffbcbb | |
parent | cb32c573fdfe2c588a7de23aa34b7e7b8650dc7e (diff) | |
download | gnutls-bf88726c841417b99c1f6abeaaa4636c020760c2.tar.gz |
when using a PKCS #11 module for verification ensure that it has been marked a trusted module in p11-kit.
-rw-r--r-- | lib/x509/verify.c | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/lib/x509/verify.c b/lib/x509/verify.c index 546f2d3896..2b64ab690b 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -727,6 +727,25 @@ _gnutls_pkcs11_verify_certificate(const char* url, unsigned int status = 0, i; gnutls_x509_crt_t issuer = NULL; gnutls_datum_t raw_issuer = {NULL, 0}; + unsigned int is_token_ok = 0; + size_t t; + + t = sizeof(is_token_ok); + ret = gnutls_pkcs11_token_get_info(url, GNUTLS_PKCS11_TOKEN_TRUSTED_UINT, + &is_token_ok, &t); + if (ret < 0) { + _gnutls_debug_log("Cannot allow verifying against a token it's trust status cannot be determined\n"); + gnutls_assert(); + status |= GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND; + return status; + } + + if (is_token_ok == 0) { + _gnutls_debug_log("Cannot allow verifying against a token that is not a trust module\n"); + gnutls_assert(); + status |= GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND; + return status; + } if (clist_size > 1) { /* Check if the last certificate in the path is self signed. |