[gnutls-devel] [PATCH] Check the credentials getter functions as part of the unit tests

Armin Burgmeier armin at arbur.net
Mon Oct 6 21:36:47 CEST 2014


On Thu, 2014-10-02 at 11:44 -0400, Armin Burgmeier wrote:
> On Thu, 2014-10-02 at 17:03 +0200, Nikos Mavrogiannopoulos wrote:
> > On Thu, Sep 25, 2014 at 9:53 PM, Armin Burgmeier <armin at arbur.net> wrote:
> > >> >  tests/openpgp-auth.c |  47 ++++++++++++++++++++++
> > >> >  tests/x509cert.c     | 107 ++++++++++++++++++++++++++++++++++++++++++++++++---
> > >> >  2 files changed, 149 insertions(+), 5 deletions(-)
> > >>
> > >> Thank you. I've applied the complete patch set.
> > > Thanks! I suppose the ticket on savannah could then be closed as well.
> > 
> > I realized that gnutls_x509_trust_list_iter_get_ca() is incomplete.
> > When the trust list is on a pkcs11 trust module, iteration wouldn't
> > work.
> > 
> > That's seems to be easily done (at the cost of a very large iterator),
> > using the same enumeration as in
> > gnutls_x509_trust_list_add_trust_file(). That is using
> > gnutls_pkcs11_obj_list_import_url2() and then converting each one to
> > certificate using gnutls_x509_crt_import_pkcs11(). I could schedule to
> > do it, but if you can do it, it would be real help.
> 
> Okay, I'll try to do it on the weekend or early next week.

while looking at the code you pointed to, I am not sure I understand the
following:

When adding a PKCS11 URL with gnutls_x509_trust_list_add_trust_file(),
basically all that is done is that the pkcs11_token field in the trust
list structure is set.

However, when using gnutls_x509_trust_list_remove_trust_file() to remove
a PKCS11 URL, the code imports all certificates from the URL and then
tries to remove them from the hash table. However, they have never been
added to the hash table? Is that such that the CA certificates are added
to the blacklist? In any case, the pkcs11_token field is not reset. Is
that correct?

Armin




More information about the Gnutls-devel mailing list