gnutls fails to use Verisign CA cert without a Basic Constraint

[Douglas E. Engert]

Simon Josefsson wrote:
> "Douglas E. Engert" <deengert at anl.gov> writes:
> 
>> OK, see form below.
> 
> You need to send it to assign at gnu.org, I could forward it but I think
> they want it directly from the submitter.

OK, sent the form, first time was wrong address.

If you were to create a check_if_same_cert routine the actual code
to shorten the cert chain is only 7 lines, not counting
comments, "{" or "}" lines.

Here is a verify.c patch (Against Ubuntu version) that does the following:

added routine check_if_same_cert() to test if two certs are identical,
using the method used in check_if_ca.
(Note: check_if_ca could call check_if_same_cert too, but it made
the patch file hard to read.)

Adds this code:

+    /* We want to shorten the chain by removing the cert that matches
+     * one of the certs we trust and all the certs after that
+     * i.e. if cert chain is A, B, C, and we trust B, remove B and C
+     * we must leave the first cert on chain. */
+    if (clist_size > 1)
+    {
+      for (i = 1; i < clist_size; i++)
+      {
+        int j;
+	    for (j = 0; j < tcas_size; j++)
+        {
+          if (check_if_same_cert ( certificate_list[i], trusted_cas[j], flags) == 1)
+          {
+              clist_size = i;
+              break;
+          }
+        }
+        /* clist_size may have been changed which gets out of loop */
+      }
+    }
+


Add the recent patches to get the if corrected, and added the patch
for  flags &= ~GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT;

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: verify.c.patch2.txt
URL: </pipermail/attachments/20090112/a69913a1/attachment.txt>