[gnutls-dev] Re: gnutls_certificate_verify_peers2() does not handle
expirations
Simon Josefsson
jas at extundo.com
Fri Jun 3 16:41:39 CEST 2005
Rupert Kittinger <rkit at mur.at> writes:
> Hi everybody,
>
> I think the x509 certificate check performed by
> gnutls_certificate_verify_peers2() is not sufficient, because it does not
> validate the various time constraints (activation/expiration of
> certificates, CAs, CRLs).
Right. That is intentional, even if it is unfortunate.
Did you see the example in section 7.3.4 of the manual? It try to do
a bit more. Full verification of a certificate is application and
purpose dependent, so it is difficult to generalize.
> I propose adding the following function:
>
> int gnutls_certificate_verify_peers3 (gnutls_session session, unsigned int
> * status, time_t then)
>
> that has the following semantics:
> - perform the same checks as gnutls_certificate_verify_peers2()
> - for every certificate in the chain, check for activation and expiration
> - if a crl is available for a CA and the nextUpdate field is available,
> check for expiration.
>
> add validation flags for the new error conditions.
>
> with the current API, these checks can only be performed by duplicating
> some of the code to get to the certificates, resp. crls.
In general I think it is a good idea to provide this. I agree
duplicating the code from the example is sub-optimal and prone to
errors. Checking activation/expiration dates should probably almost
always be used.
If you want to work on this, that would be good. I do dislike the *2
and *3 names, though, but can't come up with a better name right now.
> also, I did not find any checks for unknown critical extensions. As far as
> I know, these should also cause validation failure. Did I overlook
> something?
Probably not. Some of the PKITS self-test certificate chain fail to
verify properly in GnuTLS because this is not implemented.
Cheers,
Simon
More information about the Gnutls-dev
mailing list