diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2014-09-02 20:56:32 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2014-09-02 22:05:46 +0200 |
commit | 9dbe3aab9e157ef8f7a67112a4619d4f028519dc (patch) | |
tree | 6644dbc02a7df02901f83766bf9e46dfd86d8d5a /lib/includes/gnutls/pkcs11.h | |
parent | f9372aab943862371d48b6a77b2b0adb2f414a3d (diff) | |
download | gnutls-9dbe3aab9e157ef8f7a67112a4619d4f028519dc.tar.gz |
when comparing a CA certificate with the trusted list compare the name and key
That is to handle cases where a CA certificate was superceded by a different
one with the same name and the same key. That can happen when an intermediate
CA certificate is replaced by a self-signed one.
Diffstat (limited to 'lib/includes/gnutls/pkcs11.h')
-rw-r--r-- | lib/includes/gnutls/pkcs11.h | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/lib/includes/gnutls/pkcs11.h b/lib/includes/gnutls/pkcs11.h index da6cf8c4bd..8fd121dab6 100644 --- a/lib/includes/gnutls/pkcs11.h +++ b/lib/includes/gnutls/pkcs11.h @@ -101,9 +101,10 @@ void gnutls_pkcs11_obj_set_pin_function(gnutls_pkcs11_obj_t obj, * @GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_PRIVATE: marked as not private. * @GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_ANY: When retrieving an object, do not set any requirements. * GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED: When retrieving an object, only retrieve the marked as trusted. - * In gnutls_pkcs11_crt_is_known() it implies GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_COMPARE. + * In gnutls_pkcs11_crt_is_known() it implies %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_COMPARE if %GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY is not given. * @GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED: When retrieving an object, only retrieve the marked as distrusted. - * @GNUTLS_PKCS11_OBJ_FLAG_COMPARE: When checking an object's presence, full compare it before returning any result. + * @GNUTLS_PKCS11_OBJ_FLAG_COMPARE: When checking an object's presence, fully compare it before returning any result. + * @GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY: When checking an object's presence, compare the key before returning any result. * @GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE: The object must be present in a marked as trusted module. * @GNUTLS_PKCS11_OBJ_FLAG_MARK_CA: Mark the object as a CA. * @GNUTLS_PKCS11_OBJ_FLAG_MARK_KEY_WRAP: Mark the generated key pair as wrapping and unwrapping keys. @@ -123,7 +124,8 @@ typedef enum gnutls_pkcs11_obj_flags { GNUTLS_PKCS11_OBJ_FLAG_COMPARE = (1<<9), GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE = (1<<10), GNUTLS_PKCS11_OBJ_FLAG_MARK_CA = (1<<11), - GNUTLS_PKCS11_OBJ_FLAG_MARK_KEY_WRAP = (1<<12) + GNUTLS_PKCS11_OBJ_FLAG_MARK_KEY_WRAP = (1<<12), + GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY = (1<<13) } gnutls_pkcs11_obj_flags; /** |