rfc5280 chain validation implementation?

Werner Koch wk at gnupg.org
Fri Apr 24 10:02:38 CEST 2009 

On Thu, 23 Apr 2009 15:31, simon at josefsson.org said:

> Hi.  I think GnuTLS needs a proper RFC 5280 chain validation
> implementation (see section 6), and it occurred to me that somewhere in
> the X.509 code in GnuPG2 there may be one.  I couldn't find one in
> libksba.

The algorithm given there is hard to implement but other algorithms are
allowed as well, as long as they yield the same result.  (From memory, I
have not looked at 5280).

Libksba has no such code.  The reason is that you need too many
parameters and those parameters (e.g. certificates) might not be
available right aways but computed in the course of the validation.  CRL
or OCSP validation has also been done, policy checks and so on.  A lot
of stuff and code to handle this all in a generic ways would be more
complicated for the caller and and the library than a straightforward
implementation.  At least this is my conclusion from implementing the
chain validation two times.

It would be possible to do this on another way, e.g. collect all
certificates that might be needed for the validation before calling ten
validation function.  That would require to build the chain before the
validation but that is not possible, because you don't always know what
rule to use without actually validating the chain.  Sometimes you need to
do trial verification to decide whether a certificate can be used or
whether to resort to another method of locating it.  Its quite close to
a catch-22.  Right the algorithm given for PKIX work in a properly setup
PKI - but we are far away from such an environment.

> Is there one?

There is code in gnupg and a different (and newer one) in dirmngr.
"dirmngr-client --validate" shows how to validate a certificate using
dirmngr as a validation server.  It might be worth to think about a
validation server because such a server could cache validation results
on some realm base (say for TLS, for X.509 mail, for OpenVPN etc.).


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.

More information about the Gnupg-devel mailing list