[gnutls-devel] GnuTLS | pkcs11: respect Mozilla's time-based distrust upon issuer lookup (!1725)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Tue Mar 14 11:43:07 CET 2023
Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1725 was reviewed by Alexander Sosedkin
--
Alexander Sosedkin started a new discussion on lib/x509/verify.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1725#note_1313015185
> (certificate_list[clist_size - 1],
> certificate_list[clist_size - 1]) != 0) {
> clist_size--;
Does that mean that a self-signed CA which would've failed a distrust-after check will just go unchecked?
--
Alexander Sosedkin started a new discussion on lib/x509/verify.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1725#note_1313015192
> + && distrust_after <=
> + gnutls_x509_crt_get_activation_time(certificate_list
> + [clist_size - 1])) {
Is distrust-after defined / supposed to be used for non-root cases?
--
Alexander Sosedkin started a new discussion on lib/pkcs11.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1725#note_1313015200
> + a[0].type = CKA_NSS_SERVER_DISTRUST_AFTER;
> + } else {
> + a[0].type = CKA_NSS_EMAIL_DISTRUST_AFTER;
Seems like a strange choice to fall back to EMAIL case if NONE will passed. I suggest either asserting it's not NONE or returning a special value.
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1725
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20230314/2528a02e/attachment-0001.html>
More information about the Gnutls-devel
mailing list