From 9afae358ed30fa685a3927797e1b6e428732b7b4 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Fri, 5 Mar 2021 12:16:43 +0100
Subject: [PATCH] Tolerate duplicate certs in the chain also with PKCS #11
 trust store

---
 gnutls-3.7.0-duplicate-certs-pkcs11.patch | 44 +++++++++++++++++++++++
 gnutls.spec                               |  6 +++-
 2 files changed, 49 insertions(+), 1 deletion(-)
 create mode 100644 gnutls-3.7.0-duplicate-certs-pkcs11.patch

diff --git a/gnutls-3.7.0-duplicate-certs-pkcs11.patch b/gnutls-3.7.0-duplicate-certs-pkcs11.patch
new file mode 100644
index 0000000..02284b4
--- /dev/null
+++ b/gnutls-3.7.0-duplicate-certs-pkcs11.patch
@@ -0,0 +1,44 @@
+From e97a5f07bc9d9394424c6520656e902019fcb380 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Fri, 5 Mar 2021 12:08:25 +0100
+Subject: [PATCH] gnutls_x509_trust_list_verify_crt2: skip duped certs for
+ PKCS11 too
+
+The commit 09b40be6e0e0a59ba4bd764067eb353241043a70 (part of
+gnutls/gnutls!1370) didn't cover the case where the trust store is
+backed by PKCS #11, because it used _gnutls_trust_list_get_issuer,
+which only works with file based trust store.
+
+This patch replaces the call with more generic
+gnutls_x509_trust_list_get_issuer so it also works with other trust
+store implementations.
+
+Reported by Michal Ruprich.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/x509/verify-high.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
+index 9a16e6b42..736326ee1 100644
+--- a/lib/x509/verify-high.c
++++ b/lib/x509/verify-high.c
+@@ -1495,10 +1495,10 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
+ 
+ 		/* If the issuer of the certificate is known, no need
+ 		 * for further processing. */
+-		if (_gnutls_trust_list_get_issuer(list,
+-						  cert_list[i - 1],
+-						  &issuer,
+-						  0) == 0) {
++		if (gnutls_x509_trust_list_get_issuer(list,
++						      cert_list[i - 1],
++						      &issuer,
++						      0) == 0) {
+ 			cert_list_size = i;
+ 			break;
+ 		}
+-- 
+2.29.2
+
diff --git a/gnutls.spec b/gnutls.spec
index 3811ea9..51ff567 100644
--- a/gnutls.spec
+++ b/gnutls.spec
@@ -1,11 +1,12 @@
 # This spec file has been automatically updated
 Version:	3.7.0
-Release: 3%{?dist}
+Release: 4%{?dist}
 Patch1:	gnutls-3.6.7-no-now-guile.patch
 Patch2:	gnutls-3.2.7-rpath.patch
 Patch3:	gnutls-3.7.0-test-fixes.patch
 Patch4:	gnutls-3.7.0-gost.patch
 Patch5:	gnutls-3.7.0-duplicate-certs.patch
+Patch6:	gnutls-3.7.0-duplicate-certs-pkcs11.patch
 %bcond_with bootstrap
 %bcond_without dane
 %if 0%{?rhel}
@@ -292,6 +293,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null
 %endif
 
 %changelog
+* Fri Mar  5 2021 Daiki Ueno <dueno@redhat.com> - 3.7.0-4
+- Tolerate duplicate certs in the chain also with PKCS #11 trust store
+
 * Tue Mar  2 2021 Daiki Ueno <dueno@redhat.com> - 3.7.0-3
 - Reduce BRs for non-bootstrapping build