gnutls_pkcs11_crt_is_known: always assume GNUTLS_PKCS11_OBJ_FLAG_COMPARE unless GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is given

author: Nikos Mavrogiannopoulos <nmav@redhat.com> 2016-06-23 23:13:50 +0200
committer: Nikos Mavrogiannopoulos <nmav@redhat.com> 2016-06-28 09:28:43 +0200
commit: 14f13a25c8ec9fb31f3a6b4971c73c48d39f5b45 (patch)
tree: 26ddde4d29ac05a8ff830f1310f672bffdf94dc9
parent: 5b3dbb3422aeaec19f284624fcea97bc8e0a0d11 (diff)
download: gnutls-14f13a25c8ec9fb31f3a6b4971c73c48d39f5b45.tar.gz
1 files changed, 3 insertions, 3 deletions
diff --git a/lib/pkcs11.c b/lib/pkcs11.c
index 50d0621ce9..4210bdc877 100644
--- a/lib/pkcs11.c
+++ b/lib/pkcs11.c
@@ -3993,10 +3993,10 @@ int gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
 	priv.issuer_dn.data = cert->raw_issuer_dn.data;
 	priv.issuer_dn.size = cert->raw_issuer_dn.size;
 
-	/* when looking for a trusted certificate, we always fully compare
-	 * with the given */
-	if (flags & GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED && !(flags & GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY))
+	/* assume PKCS11_OBJ_FLAG_COMPARE everywhere but DISTRUST info */
+	if (!(flags & GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED) && !(flags & GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY)) {
 		flags |= GNUTLS_PKCS11_OBJ_FLAG_COMPARE;
+	}
 
 	priv.flags = flags;
author	Nikos Mavrogiannopoulos <nmav@redhat.com>	2016-06-23 23:13:50 +0200
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>	2016-06-28 09:28:43 +0200
commit	14f13a25c8ec9fb31f3a6b4971c73c48d39f5b45 (patch)
tree	26ddde4d29ac05a8ff830f1310f672bffdf94dc9
parent	5b3dbb3422aeaec19f284624fcea97bc8e0a0d11 (diff)
download	gnutls-14f13a25c8ec9fb31f3a6b4971c73c48d39f5b45.tar.gz