[gnutls-devel] [PATCH] Check for all error conditions when verifying a certificate
Nikos Mavrogiannopoulos
nmav at gnutls.org
Tue Sep 16 13:32:00 CEST 2014
On Sat, Sep 13, 2014 at 5:46 PM, Armin Burgmeier <armin at arbur.net> wrote:
> This allows to check for all possible flaws with a certificate chain with a
> single call to gnutls_x509_crt_list_verify and friends.
> + if (sigalg >= 0 &&
> + is_level_acceptable(cert, issuer, sigalg, flags) == 0) {
> + gnutls_assert();
> + out |=
> + GNUTLS_CERT_INSECURE_ALGORITHM |
> + GNUTLS_CERT_INVALID;
> + result = 0;
> + }
Hi,
The security level check will not be performed if there is no issuer.
That means if the issuer wasn't found you'll not know whether
GNUTLS_CERT_INSECURE_ALGORITHM would have been set for the specified
security level. Would that be acceptable?
Also you added the "if (sigalg >= 0)"... Why is that needed? Isn't
sigalg always positive at this point?
> {
> diff --git a/tests/test-chains.h b/tests/test-chains.h
> index 28974e1..ff9086f 100644
> --- a/tests/test-chains.h
> +++ b/tests/test-chains.h
> @@ -1366,9 +1366,11 @@ static struct
> } chains[] =
> {
> { "CVE-2014-0092", cve_2014_0092_check, &cve_2014_0092_check[1],
> - 0, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID },
> + GNUTLS_VERIFY_DISABLE_TIME_CHECKS,
> + GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID },
> { "CVE-2008-4989", cve_2008_4989_chain, &cve_2008_4989_chain[2],
> - 0, GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID },
> + GNUTLS_VERIFY_DISABLE_TIME_CHECKS,
> + GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID },
Wouldn't here instead of adding GNUTLS_VERIFY_DISABLE_TIME_CHECKS, to
add the GNUTLS_CERT_EXPIRED in the expected result? That way we can
test that the results remain consistent from now on.
Other than these, it looks reasonable. btw. would you like to send a
DCO on the list (as in http://www.gnutls.org/devel.html) ?
regards,
Nikos
More information about the Gnutls-devel
mailing list