when using a PKCS #11 module for verification ensure that it has been marked a trusted module in p11-kit.

author: Nikos Mavrogiannopoulos <nmav@redhat.com> 2014-02-03 14:54:38 +0100
committer: Nikos Mavrogiannopoulos <nmav@redhat.com> 2014-02-03 15:06:57 +0100
commit: bf88726c841417b99c1f6abeaaa4636c020760c2 (patch)
tree: f28e4d51e31e9aecf20902d105d7ec18afffbcbb
parent: cb32c573fdfe2c588a7de23aa34b7e7b8650dc7e (diff)
download: gnutls-bf88726c841417b99c1f6abeaaa4636c020760c2.tar.gz
1 files changed, 19 insertions, 0 deletions
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index 546f2d3896..2b64ab690b 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -727,6 +727,25 @@ _gnutls_pkcs11_verify_certificate(const char* url,
 	unsigned int status = 0, i;
 	gnutls_x509_crt_t issuer = NULL;
 	gnutls_datum_t raw_issuer = {NULL, 0};
+	unsigned int is_token_ok = 0;
+	size_t t;
+
+	t = sizeof(is_token_ok);
+	ret = gnutls_pkcs11_token_get_info(url, GNUTLS_PKCS11_TOKEN_TRUSTED_UINT,
+		&is_token_ok, &t);
+	if (ret < 0) {
+		_gnutls_debug_log("Cannot allow verifying against a token it's trust status cannot be determined\n");
+		gnutls_assert();
+		status |= GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND;
+		return status;
+	}
+
+	if (is_token_ok == 0) {
+		_gnutls_debug_log("Cannot allow verifying against a token that is not a trust module\n");
+		gnutls_assert();
+		status |= GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND;
+		return status;
+	}
 
 	if (clist_size > 1) {
 		/* Check if the last certificate in the path is self signed.
author	Nikos Mavrogiannopoulos <nmav@redhat.com>	2014-02-03 14:54:38 +0100
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>	2014-02-03 15:06:57 +0100
commit	bf88726c841417b99c1f6abeaaa4636c020760c2 (patch)
tree	f28e4d51e31e9aecf20902d105d7ec18afffbcbb
parent	cb32c573fdfe2c588a7de23aa34b7e7b8650dc7e (diff)
download	gnutls-bf88726c841417b99c1f6abeaaa4636c020760c2.tar.gz