diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2014-09-03 14:33:40 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2014-09-03 14:33:40 +0200 |
commit | d1de36af91c5ac86dd2b1ab18b0b230a0b1e5d31 (patch) | |
tree | c762c72765a018d10dcc2505b01433a42a6dbee4 | |
parent | b232d205d405542d89ccf783c580efe8e022a750 (diff) | |
download | gnutls-d1de36af91c5ac86dd2b1ab18b0b230a0b1e5d31.tar.gz |
when comparing an end-certificate with the trusted list compare the entire certificate
-rw-r--r-- | lib/x509/common.h | 2 | ||||
-rw-r--r-- | lib/x509/verify.c | 28 |
2 files changed, 21 insertions, 9 deletions
diff --git a/lib/x509/common.h b/lib/x509/common.h index 76ba54a123..f79d6b53e7 100644 --- a/lib/x509/common.h +++ b/lib/x509/common.h @@ -177,7 +177,7 @@ _gnutls_x509_get_raw_field2(ASN1_TYPE c2, gnutls_datum_t * raw, bool _gnutls_check_if_same_key2(gnutls_x509_crt_t cert1, - gnutls_datum_t * cert2bin); + gnutls_datum_t *cert2bin); bool _gnutls_check_if_same_cert(gnutls_x509_crt_t cert1, diff --git a/lib/x509/verify.c b/lib/x509/verify.c index 7f9831a6e9..af302b8a7e 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -39,14 +39,20 @@ #include <gnutls_pk.h> #include <stdbool.h> -/* Checks if two certs have the same name and the same key. Return 1 on match. */ +/* Checks if two certs have the same name and the same key. Return 1 on match. + * If @is_ca is zero then this function is identical to _gnutls_check_if_same_cert() + */ static bool _gnutls_check_if_same_key(gnutls_x509_crt_t cert1, - gnutls_x509_crt_t cert2) + gnutls_x509_crt_t cert2, + unsigned is_ca) { int ret; bool result; + if (is_ca == 0) + return _gnutls_check_if_same_cert(cert1, cert2); + ret = _gnutls_is_same_dn(cert1, cert2); if (ret == 0) return 0; @@ -57,7 +63,6 @@ _gnutls_check_if_same_key(gnutls_x509_crt_t cert1, else result = 0; - fail: return result; } @@ -78,7 +83,7 @@ _gnutls_check_if_same_key2(gnutls_x509_crt_t cert1, return gnutls_assert_val(0); } - ret = _gnutls_check_if_same_key(cert1, cert2); + ret = _gnutls_check_if_same_key(cert1, cert2, 1); gnutls_x509_crt_deinit(cert2); return ret; @@ -887,7 +892,7 @@ _gnutls_verify_crt_status(const gnutls_x509_crt_t * certificate_list, * because it can happen that a CA certificate is upgraded from intermediate * CA to self-signed CA at some point. */ if (_gnutls_check_if_same_key - (certificate_list[i], trusted_cas[j]) != 0) { + (certificate_list[i], trusted_cas[j], i) != 0) { /* explicit time check for trusted CA that we remove from * list. GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS */ @@ -1032,9 +1037,16 @@ _gnutls_pkcs11_verify_crt_status(const char* url, i = 1; /* do not replace the first one */ for (; i < clist_size; i++) { - if (gnutls_pkcs11_crt_is_known (url, certificate_list[i], - GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE| - GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED) != 0) { + unsigned vflags; + + if (i == 0) /* in the end certificate do full comparison */ + vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE| + GNUTLS_PKCS11_OBJ_FLAG_COMPARE|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED; + else + vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE| + GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED; + + if (gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags) != 0) { if (!(flags & GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS) && !(flags & GNUTLS_VERIFY_DISABLE_TIME_CHECKS)) { |