summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNikos Mavrogiannopoulos <nmav@redhat.com>2014-09-03 14:33:40 +0200
committerNikos Mavrogiannopoulos <nmav@redhat.com>2014-09-03 14:33:40 +0200
commitd1de36af91c5ac86dd2b1ab18b0b230a0b1e5d31 (patch)
treec762c72765a018d10dcc2505b01433a42a6dbee4
parentb232d205d405542d89ccf783c580efe8e022a750 (diff)
downloadgnutls-d1de36af91c5ac86dd2b1ab18b0b230a0b1e5d31.tar.gz
when comparing an end-certificate with the trusted list compare the entire certificate
-rw-r--r--lib/x509/common.h2
-rw-r--r--lib/x509/verify.c28
2 files changed, 21 insertions, 9 deletions
diff --git a/lib/x509/common.h b/lib/x509/common.h
index 76ba54a123..f79d6b53e7 100644
--- a/lib/x509/common.h
+++ b/lib/x509/common.h
@@ -177,7 +177,7 @@ _gnutls_x509_get_raw_field2(ASN1_TYPE c2, gnutls_datum_t * raw,
bool
_gnutls_check_if_same_key2(gnutls_x509_crt_t cert1,
- gnutls_datum_t * cert2bin);
+ gnutls_datum_t *cert2bin);
bool
_gnutls_check_if_same_cert(gnutls_x509_crt_t cert1,
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index 7f9831a6e9..af302b8a7e 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -39,14 +39,20 @@
#include <gnutls_pk.h>
#include <stdbool.h>
-/* Checks if two certs have the same name and the same key. Return 1 on match. */
+/* Checks if two certs have the same name and the same key. Return 1 on match.
+ * If @is_ca is zero then this function is identical to _gnutls_check_if_same_cert()
+ */
static bool
_gnutls_check_if_same_key(gnutls_x509_crt_t cert1,
- gnutls_x509_crt_t cert2)
+ gnutls_x509_crt_t cert2,
+ unsigned is_ca)
{
int ret;
bool result;
+ if (is_ca == 0)
+ return _gnutls_check_if_same_cert(cert1, cert2);
+
ret = _gnutls_is_same_dn(cert1, cert2);
if (ret == 0)
return 0;
@@ -57,7 +63,6 @@ _gnutls_check_if_same_key(gnutls_x509_crt_t cert1,
else
result = 0;
- fail:
return result;
}
@@ -78,7 +83,7 @@ _gnutls_check_if_same_key2(gnutls_x509_crt_t cert1,
return gnutls_assert_val(0);
}
- ret = _gnutls_check_if_same_key(cert1, cert2);
+ ret = _gnutls_check_if_same_key(cert1, cert2, 1);
gnutls_x509_crt_deinit(cert2);
return ret;
@@ -887,7 +892,7 @@ _gnutls_verify_crt_status(const gnutls_x509_crt_t * certificate_list,
* because it can happen that a CA certificate is upgraded from intermediate
* CA to self-signed CA at some point. */
if (_gnutls_check_if_same_key
- (certificate_list[i], trusted_cas[j]) != 0) {
+ (certificate_list[i], trusted_cas[j], i) != 0) {
/* explicit time check for trusted CA that we remove from
* list. GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS
*/
@@ -1032,9 +1037,16 @@ _gnutls_pkcs11_verify_crt_status(const char* url,
i = 1; /* do not replace the first one */
for (; i < clist_size; i++) {
- if (gnutls_pkcs11_crt_is_known (url, certificate_list[i],
- GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE|
- GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED) != 0) {
+ unsigned vflags;
+
+ if (i == 0) /* in the end certificate do full comparison */
+ vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE|
+ GNUTLS_PKCS11_OBJ_FLAG_COMPARE|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED;
+ else
+ vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE|
+ GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED;
+
+ if (gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags) != 0) {
if (!(flags & GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS) &&
!(flags & GNUTLS_VERIFY_DISABLE_TIME_CHECKS)) {