[gnutls-dev] Re: gnutls_certificate_verify_peers2() does not handle expirations
Rupert Kittinger
rkit at mur.at
Fri Jun 3 17:16:16 CEST 2005
On Fri, 3 Jun 2005, Simon Josefsson wrote:
> Rupert Kittinger <rkit at mur.at> writes:
>
> > Hi everybody,
> >
> > I think the x509 certificate check performed by
> > gnutls_certificate_verify_peers2() is not sufficient, because it does not
> > validate the various time constraints (activation/expiration of
> > certificates, CAs, CRLs).
>
> Right. That is intentional, even if it is unfortunate.
>
> Did you see the example in section 7.3.4 of the manual? It try to do
> a bit more. Full verification of a certificate is application and
> purpose dependent, so it is difficult to generalize.
>
I am quite aware of this. However, a lot of users of a library like
this will not have detailed knowledge of X509 (and all its incarnations,
sigh) and would profit from a "better safe than sorry" approach. Also, a
detailed description of the algorithm used in the manual would be a great,
if only for its educational value :-)
> > I propose adding the following function:
> >
> > int gnutls_certificate_verify_peers3 (gnutls_session session, unsigned int
> > * status, time_t then)
> >
> > that has the following semantics:
> > - perform the same checks as gnutls_certificate_verify_peers2()
> > - for every certificate in the chain, check for activation and expiration
> > - if a crl is available for a CA and the nextUpdate field is available,
> > check for expiration.
> >
> > add validation flags for the new error conditions.
> >
> > with the current API, these checks can only be performed by duplicating
> > some of the code to get to the certificates, resp. crls.
>
> In general I think it is a good idea to provide this. I agree
> duplicating the code from the example is sub-optimal and prone to
> errors. Checking activation/expiration dates should probably almost
> always be used.
>
> If you want to work on this, that would be good. I do dislike the *2
> and *3 names, though, but can't come up with a better name right now.
>
I hope I find the time to do this. Maybe some other people reading this
list care to provide feedback on an improved certificate validation
algorithm?
Rupert
--
Rupert Kittinger <rkit at mur.at>
More information about the Gnutls-devel
mailing list