[gnutls-dev] gnutls_certificate_verify_peers2() does not handle expirations
Rupert Kittinger
rkit at mur.at
Fri Jun 3 15:53:03 CEST 2005
Hi everybody,
I think the x509 certificate check performed by
gnutls_certificate_verify_peers2() is not sufficient, because it does not
validate the various time constraints (activation/expiration of
certificates, CAs, CRLs).
I propose adding the following function:
int gnutls_certificate_verify_peers3 (gnutls_session session, unsigned int
* status, time_t then)
that has the following semantics:
- perform the same checks as gnutls_certificate_verify_peers2()
- for every certificate in the chain, check for activation and expiration
- if a crl is available for a CA and the nextUpdate field is available,
check for expiration.
add validation flags for the new error conditions.
with the current API, these checks can only be performed by duplicating
some of the code to get to the certificates, resp. crls.
also, I did not find any checks for unknown critical extensions. As far as
I know, these should also cause validation failure. Did I overlook
something?
cheers,
Rupert
--
Rupert Kittinger <rkit at mur.at>
More information about the Gnutls-devel
mailing list