Tolerate duplicate certs in the chain also with PKCS #11 trust store
This commit is contained in:
Daiki Ueno
parent
7e113a5794
commit
9afae358ed
44
gnutls-3.7.0-duplicate-certs-pkcs11.patch
Normal file
44
gnutls-3.7.0-duplicate-certs-pkcs11.patch
Normal file
@ -0,0 +1,44 @@
|
||||
From e97a5f07bc9d9394424c6520656e902019fcb380 Mon Sep 17 00:00:00 2001
|
||||
From: Daiki Ueno <ueno@gnu.org>
|
||||
Date: Fri, 5 Mar 2021 12:08:25 +0100
|
||||
Subject: [PATCH] gnutls_x509_trust_list_verify_crt2: skip duped certs for
|
||||
PKCS11 too
|
||||
|
||||
The commit 09b40be6e0e0a59ba4bd764067eb353241043a70 (part of
|
||||
gnutls/gnutls!1370) didn't cover the case where the trust store is
|
||||
backed by PKCS #11, because it used _gnutls_trust_list_get_issuer,
|
||||
which only works with file based trust store.
|
||||
|
||||
This patch replaces the call with more generic
|
||||
gnutls_x509_trust_list_get_issuer so it also works with other trust
|
||||
store implementations.
|
||||
|
||||
Reported by Michal Ruprich.
|
||||
|
||||
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
||||
---
|
||||
lib/x509/verify-high.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
|
||||
index 9a16e6b42..736326ee1 100644
|
||||
--- a/lib/x509/verify-high.c
|
||||
+++ b/lib/x509/verify-high.c
|
||||
@@ -1495,10 +1495,10 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
|
||||
|
||||
/* If the issuer of the certificate is known, no need
|
||||
* for further processing. */
|
||||
- if (_gnutls_trust_list_get_issuer(list,
|
||||
- cert_list[i - 1],
|
||||
- &issuer,
|
||||
- 0) == 0) {
|
||||
+ if (gnutls_x509_trust_list_get_issuer(list,
|
||||
+ cert_list[i - 1],
|
||||
+ &issuer,
|
||||
+ 0) == 0) {
|
||||
cert_list_size = i;
|
||||
break;
|
||||
}
|
||||
--
|
||||
2.29.2
|
||||
|
||||
@ -1,11 +1,12 @@
|
||||
# This spec file has been automatically updated
|
||||
Version: 3.7.0
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
Patch1: gnutls-3.6.7-no-now-guile.patch
|
||||
Patch2: gnutls-3.2.7-rpath.patch
|
||||
Patch3: gnutls-3.7.0-test-fixes.patch
|
||||
Patch4: gnutls-3.7.0-gost.patch
|
||||
Patch5: gnutls-3.7.0-duplicate-certs.patch
|
||||
Patch6: gnutls-3.7.0-duplicate-certs-pkcs11.patch
|
||||
%bcond_with bootstrap
|
||||
%bcond_without dane
|
||||
%if 0%{?rhel}
|
||||
@ -292,6 +293,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Mar 5 2021 Daiki Ueno <dueno@redhat.com> - 3.7.0-4
|
||||
- Tolerate duplicate certs in the chain also with PKCS #11 trust store
|
||||
|
||||
* Tue Mar 2 2021 Daiki Ueno <dueno@redhat.com> - 3.7.0-3
|
||||
- Reduce BRs for non-bootstrapping build
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user