diff options
| -rw-r--r-- | lib/x509/verify.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/lib/x509/verify.c b/lib/x509/verify.c index 2bbb788ec4..05f4b5c041 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -1166,6 +1166,17 @@ _gnutls_pkcs11_verify_crt_status(const char* url, goto cleanup; } + /* check if the raw issuer is blacklisted (it can happen if + * the issuer is both in the trusted list and the blacklisted) + */ + if (gnutls_pkcs11_crt_is_known (url, issuer, + GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE| + GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED) != 0) { + status |= GNUTLS_CERT_INVALID; + status |= GNUTLS_CERT_SIGNER_NOT_FOUND; /* if the signer is revoked - it is as if it doesn't exist */ + goto cleanup; + } + if (purpose != NULL) { ret = _gnutls_check_key_purpose(issuer, purpose); if (ret != 1) { |