[gnutls-devel] [PATCH V3] Check for all error conditions when verifying a certificate

Armin Burgmeier armin at arbur.net
Wed Sep 17 16:19:19 CEST 2014

Hi Nikos,

On Wed, 2014-09-17 at 13:12 +0200, Nikos Mavrogiannopoulos wrote:
> On Tue, Sep 16, 2014 at 8:02 PM, Armin Burgmeier <armin at arbur.net> wrote:
> > This allows to check for all possible flaws with a certificate chain with a
> > single call to gnutls_x509_crt_list_verify and friends.
> I've noticed that this causes some discrepancies between
> pkcs11-chainverify and chainverify in the verification. That is not
> much of your concern of course as it is about the PKCS#11 module
> verification and I'll handle it,


>  but it uncovered the following issue:
> The verification of a chain works like that:
> CA -> ICA1 -> ICA2 -> ENDCERT
> To prevent a DoS (e.g. by a server or client that sends a list of 1000
> certificates) it starts like (see _gnutls_verify_crt_status()):
> 1. verify: CA -> CA1
> if (fail return status)
> 2. verify: CA1 -> CA2
> if (fail return status)
> 3. verify: CA2 -> ENDCERT
> if (fail return status)
> So with your patch you'll get the status up to the point of first
> failure. If the failure is in step 1 you'll get the full status for
> CA->CA1 verification, but no flag will apply on ENDCERT. In your case
> I think you verify against the scenario: CA -> ENDCERT, so you get
> some reasonable flags. I don't know how reasonable these would be if
> you are in a multiple CA scenario. Still it may make sense to do that
> (in that case I should document that correctly), and I'm not sure
> whether getting the flags of the 3 steps combined would offer much of
> an advantage as they refer to multiple certificates. What do you think
> of that? Is the current situation reasonable for your use case?

Yes, I think it is reasonable. As you say in the scenario with
intermediate CAs, the verification flags would be for multiple
verifications combined, and therefore still lack some information. I
think it is fine if it is documented that:

a) the verification procedure stops if a failure has been found with one
certificate in the chain.
b) in that case all issues with that particular certificate are
c) the verification order starts from CA->CA1, then CA1->CA2, ..., then
d) if people need to know more details, they should run the verification
for each certificate in the chain individually.

Does it sound good to you?


More information about the Gnutls-devel mailing list