diff options
Diffstat (limited to 'lib/x509/verify.c')
-rw-r--r-- | lib/x509/verify.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/lib/x509/verify.c b/lib/x509/verify.c index d202670198..fd7c6a1642 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -34,6 +34,7 @@ #include <tls-sig.h> #include <str.h> #include <datum.h> +#include <pkcs11_int.h> #include <x509_int.h> #include <common.h> #include <pk.h> @@ -1188,6 +1189,7 @@ _gnutls_pkcs11_verify_crt_status(const char* url, for (; i < clist_size; i++) { unsigned vflags; + gnutls_x509_crt_t trusted_cert; if (i == 0) /* in the end certificate do full comparison */ vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE| @@ -1196,9 +1198,10 @@ _gnutls_pkcs11_verify_crt_status(const char* url, vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE| GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED; - if (gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags) != 0) { + if (_gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags, &trusted_cert) != 0) { - status |= check_ca_sanity(certificate_list[i], now, flags); + status |= check_ca_sanity(trusted_cert, now, flags); + gnutls_x509_crt_deinit(trusted_cert); if (func) func(certificate_list[i], |