diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-09-20 16:44:51 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-09-21 13:09:40 +0200 |
commit | 39a6de929c1a6baa2b7914bfa89275b3ee4db0e2 (patch) | |
tree | 71e1700c0e74282dec4e6cb6eda439a48890da6e /lib/x509 | |
parent | cc54c334f8a1f77a03d4e26ed6ac9a3f132a463f (diff) | |
download | gnutls-39a6de929c1a6baa2b7914bfa89275b3ee4db0e2.tar.gz |
Provide a more flexible PKCS#11 search of trust store certificatestmp-pkcs11-lax-search
This addresses the problem where the CA certificate doesn't
have a subject key identifier whereas the end certificates
have an authority key identifier.
Resolves #569
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat (limited to 'lib/x509')
-rw-r--r-- | lib/x509/common.c | 9 | ||||
-rw-r--r-- | lib/x509/common.h | 3 |
2 files changed, 10 insertions, 2 deletions
diff --git a/lib/x509/common.c b/lib/x509/common.c index c978c024e1..4a3e8376f7 100644 --- a/lib/x509/common.c +++ b/lib/x509/common.c @@ -1674,12 +1674,16 @@ int x509_raw_crt_to_raw_pubkey(const gnutls_datum_t * cert, unsigned _gnutls_check_valid_key_id(gnutls_datum_t *key_id, - gnutls_x509_crt_t cert, time_t now) + gnutls_x509_crt_t cert, time_t now, + unsigned *has_ski) { uint8_t id[MAX_KEY_ID_SIZE]; size_t id_size; unsigned result = 0; + if (has_ski) + *has_ski = 0; + if (now > gnutls_x509_crt_get_expiration_time(cert) || now < gnutls_x509_crt_get_activation_time(cert)) { /* don't bother, certificate is not yet activated or expired */ @@ -1693,6 +1697,9 @@ _gnutls_check_valid_key_id(gnutls_datum_t *key_id, goto out; } + if (has_ski) + *has_ski = 1; + if (id_size == key_id->size && !memcmp(id, key_id->data, id_size)) result = 1; diff --git a/lib/x509/common.h b/lib/x509/common.h index 637121c2ee..2ff979380f 100644 --- a/lib/x509/common.h +++ b/lib/x509/common.h @@ -236,7 +236,8 @@ _gnutls_check_if_same_key2(gnutls_x509_crt_t cert1, unsigned _gnutls_check_valid_key_id(gnutls_datum_t *key_id, - gnutls_x509_crt_t cert, time_t now); + gnutls_x509_crt_t cert, time_t now, + unsigned *has_ski); unsigned _gnutls_check_key_purpose(gnutls_x509_crt_t cert, const char *purpose, unsigned no_any); |