[gnutls-devel] GnuTLS | pkcs11: respect Mozilla's time-based distrust upon issuer lookup (!1725)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Tue Mar 14 15:01:07 CET 2023

Daiki Ueno commented on a discussion on lib/x509/verify.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1725#note_1313385806

>  		if (gnutls_x509_crt_check_issuer
>  		    (certificate_list[clist_size - 1],
>  		     certificate_list[clist_size - 1]) != 0) {
>  			clist_size--;

I can think of a couple of cases: either the chain consists of a self-signed CA and EE certs, or only a self-signed CA. In either case, the CA cert must be in the trust store, for the chain to be successfully verified, so the former wouldn't be a problem. The latter is more interesting: if the CA is assigned distrust-after before its activation time, it will still be trusted, but I would consider it as an inconsistency in the trust store management, that should be resolved by some other means.

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1725#note_1313385806
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20230314/25f43918/attachment-0001.html>

More information about the Gnutls-devel mailing list