diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-10-17 15:07:03 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-10-18 12:59:04 +0200 |
commit | 6b9818ec4a10466c871b7a99bc7b392d4a590877 (patch) | |
tree | bd0f6dc53138e8a719844063980ceef1fec49bc0 /lib/x509/pkcs7.c | |
parent | 08a8f68e38c1c6491db4997140a0d43711b54830 (diff) | |
download | gnutls-6b9818ec4a10466c871b7a99bc7b392d4a590877.tar.gz |
gnutls_x509_crt_verify_data2: introduce constraints checks on the provided certificate
That is check the provided certificate for validity in time and key usage.
Diffstat (limited to 'lib/x509/pkcs7.c')
-rw-r--r-- | lib/x509/pkcs7.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/lib/x509/pkcs7.c b/lib/x509/pkcs7.c index b2de03f2d4..764fb599fd 100644 --- a/lib/x509/pkcs7.c +++ b/lib/x509/pkcs7.c @@ -965,6 +965,10 @@ gnutls_pkcs7_get_embedded_data_oid(gnutls_pkcs7_t pkcs7) * provided are NULL then the data in the encapsulatedContent field * will be used instead. * + * Note that, unlike gnutls_pkcs7_verify() this function does not + * verify the key purpose of the signer. It is expected for the caller + * to verify the intended purpose of the %signer -e.g., via gnutls_x509_crt_get_key_purpose_oid(). + * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. A verification error results to a * %GNUTLS_E_PK_SIG_VERIFY_FAILED and the lack of encapsulated data @@ -1239,8 +1243,8 @@ int gnutls_pkcs7_verify(gnutls_pkcs7_t pkcs7, signer = find_signer(pkcs7, tl, vdata, vdata_size, &info); if (signer) { ret = - gnutls_x509_crt_verify_data2(signer, info.algo, flags, - &sigdata, &info.sig); + gnutls_x509_crt_verify_data3(signer, info.algo, vdata, vdata_size, + &sigdata, &info.sig, flags); if (ret < 0) { gnutls_assert(); } |