diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-12-09 16:45:19 +0100 |
---|---|---|
committer | GitLab <gitlab@gitlab.com> | 2016-12-31 17:13:34 +0000 |
commit | b9d2c08d490f0ef3125af4f97ae2a45b8ba8a1f9 (patch) | |
tree | 23c7c7a580318a03dff5838d3c034b88a3bc3992 | |
parent | 85196de6840796b88cfd71274b980a7aad681f82 (diff) | |
download | gnutls-tmp-fix-pkcs11-verification.tar.gz |
pkcs11 verification: ensure that an issuer we retrieve is not blacklisttmp-fix-pkcs11-verification
It may happen in p11-kit trust module that a trusted certificate is
both in the trusted set, and the blacklisted set. To avoid accepting
a certificate when in both sets, we always check whether a trusted
issuer certificate is in the blacklisted set.
-rw-r--r-- | lib/x509/verify.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/lib/x509/verify.c b/lib/x509/verify.c index 84746d4e85..3159e70f6f 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -1169,6 +1169,17 @@ _gnutls_pkcs11_verify_crt_status(const char* url, goto cleanup; } + /* check if the raw issuer is blacklisted (it can happen if + * the issuer is both in the trusted list and the blacklisted) + */ + if (gnutls_pkcs11_crt_is_known (url, issuer, + GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE| + GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED) != 0) { + status |= GNUTLS_CERT_INVALID; + status |= GNUTLS_CERT_SIGNER_NOT_FOUND; /* if the signer is revoked - it is as if it doesn't exist */ + goto cleanup; + } + /* security modules that provide trust, bundle all certificates (of all purposes) * together. In software that doesn't specify any purpose assume the default to * be www-server. */ |