[gnutls-devel] GnuTLS | pkcs11: respect Mozilla's time-based distrust upon issuer lookup (!1725)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Tue Mar 14 15:02:05 CET 2023
Daiki Ueno commented on a discussion on lib/x509/verify.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1725#note_1313387550
> goto cleanup;
> }
>
> + /* check if the raw issuer is assigned with a time-based
> + * distruct and the certificate is issued after that period
> + */
> + distrust_after =
> + _gnutls_pkcs11_get_distrust_after(url, issuer,
> + purpose == NULL ?
> + GNUTLS_KP_TLS_WWW_SERVER :
> + purpose,
> + GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED);
> + if (distrust_after != (time_t) - 1
> + && distrust_after <=
> + gnutls_x509_crt_get_activation_time(certificate_list
> + [clist_size - 1])) {
It can be used for non-root cases, but they must be present in the PKCS#11 trust store I would say.
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1725#note_1313387550
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20230314/36736683/attachment.html>
More information about the Gnutls-devel
mailing list