gnutls_x509_crt_verify_data2: introduce constraints checks on the provided certificate

That is check the provided certificate for validity in time and key usage.

1 files changed, 6 insertions, 2 deletions

diff --git a/lib/x509/pkcs7.c b/lib/x509/pkcs7.c
index b2de03f2d4..764fb599fd 100644
--- a/lib/x509/pkcs7.c
+++ b/lib/x509/pkcs7.c
@@ -965,6 +965,10 @@ gnutls_pkcs7_get_embedded_data_oid(gnutls_pkcs7_t pkcs7)
  * provided are NULL then the data in the encapsulatedContent field
  * will be used instead.
  *
+ * Note that, unlike gnutls_pkcs7_verify() this function does not
+ * verify the key purpose of the signer. It is expected for the caller
+ * to verify the intended purpose of the %signer -e.g., via gnutls_x509_crt_get_key_purpose_oid().
+ *
  * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
  *   negative error value. A verification error results to a
  *   %GNUTLS_E_PK_SIG_VERIFY_FAILED and the lack of encapsulated data
@@ -1239,8 +1243,8 @@ int gnutls_pkcs7_verify(gnutls_pkcs7_t pkcs7,
 	signer = find_signer(pkcs7, tl, vdata, vdata_size, &info);
 	if (signer) {
 		ret =
-		    gnutls_x509_crt_verify_data2(signer, info.algo, flags,
-						 &sigdata, &info.sig);
+		    gnutls_x509_crt_verify_data3(signer, info.algo, vdata, vdata_size,
+						 &sigdata, &info.sig, flags);
 		if (ret < 0) {
 			gnutls_assert();
 		}