diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-10-18 10:01:49 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-10-18 12:59:14 +0200 |
commit | 110b6d3111bf41377a9bb9f6fdbf2249eff84cea (patch) | |
tree | fdcd1ef58fb4767126b92c3391fe020c78863262 /src | |
parent | 9174d813f24358fd1e135ec3721d65fda9c650d5 (diff) | |
download | gnutls-110b6d3111bf41377a9bb9f6fdbf2249eff84cea.tar.gz |
certtool: introduce key purpose checks in p7 direct verification
Diffstat (limited to 'src')
-rw-r--r-- | src/certtool.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/src/certtool.c b/src/certtool.c index fd6b7106de..09ba675dab 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -2912,9 +2912,16 @@ void verify_pkcs7(common_info_st * cinfo, const char *purpose, unsigned display_ if (HAVE_OPT(VERIFY_ALLOW_BROKEN)) flags |= GNUTLS_VERIFY_ALLOW_BROKEN; - if (signer) + if (signer) { ret = gnutls_pkcs7_verify_direct(pkcs7, signer, i, detached.data!=NULL?&detached:NULL, flags); - else + + if (ret >= 0 && purpose) { + unsigned res = gnutls_x509_crt_check_key_purpose(signer, purpose, 0); + if (res == 0) + ret = GNUTLS_E_CONSTRAINT_ERROR; + } + + } else ret = gnutls_pkcs7_verify(pkcs7, tl, vdata, vdata_size, i, detached.data!=NULL?&detached:NULL, flags); if (ret < 0) { fprintf(stderr, "\tSignature status: verification failed: %s\n", gnutls_strerror(ret)); |