[gnutls-devel] GnuTLS | pkcs11: respect Mozilla's time-based distrust upon issuer lookup (!1725)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Tue Mar 14 16:04:04 CET 2023
Daiki Ueno commented on a discussion on lib/x509/verify.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1725#note_1313498660
> if (gnutls_x509_crt_check_issuer
> (certificate_list[clist_size - 1],
> certificate_list[clist_size - 1]) != 0) {
> clist_size--;
If I understand correctly, the logic below this part is:
- `gnutls_pkcs11_get_raw_issuer` call on intermediate (i.e., `certificate_list[cert_list - 1]`) will retrieve a raw DER representation of CA
- the raw DER is imported into `issuer` with `gnutls_x509_crt_import`
- distrust-after check is performed between intermediate and `issuer` (= CA)
Would it be insufficient?
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1725#note_1313498660
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20230314/dfe2a64e/attachment.html>
More information about the Gnutls-devel
mailing list