1 files changed, 24 insertions, 25 deletions

diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
index b1421ef17a..763c527a59 100644
--- a/lib/x509/verify-high.c
+++ b/lib/x509/verify-high.c
@@ -851,11 +851,10 @@ static int shorten_clist(gnutls_x509_trust_list_t list,
 	return clist_size;
 }
 
-static
-int trust_list_get_issuer(gnutls_x509_trust_list_t list,
-				      gnutls_x509_crt_t cert,
-				      gnutls_x509_crt_t * issuer,
-				      unsigned int flags)
+int _gnutls_trust_list_get_issuer(gnutls_x509_trust_list_t list,
+				  gnutls_x509_crt_t cert,
+				  gnutls_x509_crt_t * issuer,
+				  unsigned int flags)
 {
 	int ret;
 	unsigned int i;
@@ -968,7 +967,7 @@ int gnutls_x509_trust_list_get_issuer(gnutls_x509_trust_list_t list,
 {
 	int ret;
 
-	ret = trust_list_get_issuer(list, cert, issuer, flags);
+	ret = _gnutls_trust_list_get_issuer(list, cert, issuer, flags);
 	if (ret == 0) {
 		return 0;
 	}
@@ -1192,11 +1191,13 @@ gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list,
 
 #define LAST_DN cert_list[cert_list_size-1]->raw_dn
 #define LAST_IDN cert_list[cert_list_size-1]->raw_issuer_dn
-/* This macro is introduced to detect a verification output
- * which indicates an unknown signer, or a signer which uses
- * an insecure algorithm (e.g., sha1), something that indicates
- * a superseded signer */
-#define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) || (output & GNUTLS_CERT_INSECURE_ALGORITHM))
+/* This macro is introduced to detect a verification output which
+ * indicates an unknown signer, a signer which uses an insecure
+ * algorithm (e.g., sha1), a signer has expired, or something that
+ * indicates a superseded signer */
+#define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) || \
+				       (output & GNUTLS_CERT_EXPIRED) || \
+				       (output & GNUTLS_CERT_INSECURE_ALGORITHM))
 #define SIGNER_WAS_KNOWN(output) (!(output & GNUTLS_CERT_SIGNER_NOT_FOUND))
 
 /**
@@ -1333,11 +1334,10 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
 	}
 
 	*voutput =
-	    _gnutls_verify_crt_status(cert_list, cert_list_size,
-					    list->node[hash].trusted_cas,
-					    list->
-					    node[hash].trusted_ca_size,
-					    flags, purpose, func);
+	    _gnutls_verify_crt_status(list, cert_list, cert_list_size,
+				      list->node[hash].trusted_cas,
+				      list->node[hash].trusted_ca_size,
+				      flags, purpose, func);
 	saved_output = *voutput;
 
 	if (SIGNER_OLD_OR_UNKNOWN(*voutput) &&
@@ -1355,11 +1355,10 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
 		 _gnutls_debug_log("issuer in verification was not found or insecure; trying against trust list\n");
 
 		*voutput =
-		    _gnutls_verify_crt_status(cert_list, cert_list_size,
-					    list->node[hash].trusted_cas,
-					    list->
-					    node[hash].trusted_ca_size,
-					    flags, purpose, func);
+		    _gnutls_verify_crt_status(list, cert_list, cert_list_size,
+					      list->node[hash].trusted_cas,
+					      list->node[hash].trusted_ca_size,
+					      flags, purpose, func);
 		if (*voutput != 0) {
 			if (SIGNER_WAS_KNOWN(saved_output))
 				*voutput = saved_output;
@@ -1373,10 +1372,10 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
 	if (SIGNER_OLD_OR_UNKNOWN(*voutput) && list->pkcs11_token) {
 		/* use the token for verification */
 
-		*voutput = _gnutls_pkcs11_verify_crt_status(list->pkcs11_token,
-								cert_list, cert_list_size,
-								purpose,
-								flags, func);
+		*voutput = _gnutls_pkcs11_verify_crt_status(list, list->pkcs11_token,
+							    cert_list, cert_list_size,
+							    purpose,
+							    flags, func);
 		if (*voutput != 0) {
 			if (SIGNER_WAS_KNOWN(saved_output))
 				*voutput = saved_output;