[gnutls-dev] NO_CERTIFICATE_FOUND if CA list is empty (CVS)

Andrew McDonald andrew@mcdonald.org.uk
Sun Mar 17 21:41:01 2002 

--tjCHc7DPkfUGtrlw
Content-Type: multipart/mixed; boundary="YiEDa0DAkWCtVeE4"
Content-Disposition: inline


--YiEDa0DAkWCtVeE4
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

In the CVS version of gnutls I get a GNUTLS_E_NO_CERTIFICATE_FOUND
error if there are no CA certificates in the credentials list, e.g.
when the certificate file set through
gnutls_certificate_set_x509_trust_file is empty or does not exist.

This is because of the tcas_size =3D=3D 0 check in
_gnutls_x509_verify_certificate. In 0.3.5 the tcas_size =3D=3D 0 check in
gnutls_verify_certificate caused it to return GNUTLS_CERT_NOT_TRUSTED.

The 0.3.5 behaviour seems the correct one to me since the user may not
have any CAs and just wants to check the fingerprint of each
certificate by hand, especially in situations where the certificate is
likely to be self-signed.

Just getting rid of the tcas_size =3D=3D 0 check at the start of
_gnutls_x509_verify_certificate should be enough, since
the later call to gnutls_verify_certificate2 will return/set
GNUTLS_CERT_NOT_TRUSTED if !(tcas_size >=3D 1). This will also ensure
that the EXPIRED and other flags are set as appropriate.

One line patch attached.


Andrew
--=20
Andrew McDonald
E-mail: andrew@mcdonald.org.uk
http://www.mcdonald.org.uk/andrew/

--YiEDa0DAkWCtVeE4
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="x509_verify.patch"
Content-Transfer-Encoding: quoted-printable

--- x509_verify.c~	Sun Mar 17 20:35:30 2002
+++ x509_verify.c	Sun Mar 17 20:36:21 2002
@@ -368,7 +368,7 @@
 	int i =3D 0, ret;
 	CertificateStatus status=3D0;
 =09
-	if (tcas_size =3D=3D 0 || clist_size =3D=3D 0) {
+	if (clist_size =3D=3D 0) {
 		return GNUTLS_E_NO_CERTIFICATE_FOUND;
 	}
=20

--YiEDa0DAkWCtVeE4--

--tjCHc7DPkfUGtrlw
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8lP77/LupyPLe7TYRAhm8AJ4l6oh8XMYmospu77kPrNSOhVB21wCcCOQC
j3IAxzebaA4y4/BlTrhjxxo=
=1mWk
-----END PGP SIGNATURE-----

--tjCHc7DPkfUGtrlw--