[gnutls-dev] Re: gnutls_certificate_verify_peers2() does not handle expirations

[Simon Josefsson]

Rupert Kittinger <rkit at mur.at> writes:

> On Fri, 3 Jun 2005, Simon Josefsson wrote:
>
>> Rupert Kittinger <rkit at mur.at> writes:
>> 
>> > Hi everybody,
>> >
>> > I think the x509 certificate check performed by 
>> > gnutls_certificate_verify_peers2() is not sufficient, because it does not 
>> > validate the various time constraints (activation/expiration of 
>> > certificates, CAs, CRLs).
>> 
>> Right.  That is intentional, even if it is unfortunate.
>> 
>> Did you see the example in section 7.3.4 of the manual?  It try to do
>> a bit more.  Full verification of a certificate is application and
>> purpose dependent, so it is difficult to generalize.
>> 
>
> I am quite aware of this. However, a lot of users of a library like 
> this will not have detailed knowledge of X509 (and all its incarnations, 
> sigh) and would profit from a "better safe than sorry" approach. Also, a 
> detailed description of the algorithm used in the manual would be a great, 
> if only for its educational value :-)  

Right, and I agree.  It would be useful to have the algorithm in the
gnutls_certificate_verify_peers3 function documentation; then it would
end up in the manual, and would be easy to validate against the source
code.

> I hope I find the time to do this. Maybe some other people reading this
>  list care to provide feedback on an improved certificate validation 
> algorithm?   

I hope so too.  As for implementation, taking what's in the 7.3.4
example and making a GnuTLS API function of it should be a good start.
The details in the algorithm can be enhanced further on.

Cheers,
Simon