[gnutls-devel] [sr #108634] Getter functions for gnutls_certificate_credentials_t

Armin Burgmeier INVALID.NOREPLY at gnu.org
Sun Sep 7 22:04:09 CEST 2014


Follow-up Comment #3, sr #108634 (project gnutls):

>  I have misread you message. Which function has that limitation and would
you suggest to address that issue? 

All the certificate verification functions I think. The limitation is in the
internal function "verify_crt" in x509/verify.c. If, for example, the verify
result is GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE or
GNUTLS_CERT_SIGNER_NOT_FOUND, then the certificate is not checked for other
problems, such as whether it is expired. Other errors, such as
GNUTLS_CERT_SIGNATURE_FAILURE, do not stop the procedure and certificate
checking continues.

Whether this is supposed to be like this or not I don't know, so maybe it is a
different issue from what I mentioned in the caption of this issue.

>  That as I understand would be possible by a function that enumerates all
certificates in a trust list. Is that correct? 

In addition I would need to get the trust list from the
gnutls_certificate_credentials_t structure, I think. It would also be nice to
obtain the private key (gnutls_x509_privkey_t) and certificate(s)
(gnutls_x509_crt_t) from that structure, not only the trust list.

At the moment in my program I am storing gnutls_x509_privkey_t,
gnutls_x509_crt_t (a client certificate), and the
gnutls_certificate_credentials_t itself. I need both: The certificate I need
to extract the common name to show in the user interface, and the credentials
I need to set it with the GnuTLS session (gnutls_credentials_set). This
basically means I need to store the key and certificate twice in my program:
Once in my data own structures, and once in the
gnutls_certificate_credentials_t structure.

What I would like to do is to only keep the gnutls_certificate_credentials_t
structure, and when I need to show the common name in the user interface, I
would get the certificate from the gnutls_certificate_credentials_t, and then
get the name from the certificate. Then I would only end up with the private
key and certificate once in my program's memory.

Is it clear?

If you agree this would be good to have I can try to come up with a patch for
it.

    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/support/?108634>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/




More information about the Gnutls-devel mailing list