[gnutls-devel] GnuTLS | pkcs11: respect Mozilla's time-based distrust upon issuer lookup (!1725)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Wed Mar 15 00:36:41 CET 2023




Daiki Ueno commented on a discussion on lib/x509/verify.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1725#note_1314311999

>  		goto cleanup;
>  	}
>  
> +	/* check if the raw issuer is assigned with a time-based
> +	 * distruct and the certificate is issued after that period
> +	 */
> +	distrust_after =
> +	    _gnutls_pkcs11_get_distrust_after(url, issuer,
> +					      purpose == NULL ?
> +					      GNUTLS_KP_TLS_WWW_SERVER :
> +					      purpose,
> +					      GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED);
> +	if (distrust_after != (time_t) - 1
> +	    && distrust_after <=
> +	    gnutls_x509_crt_get_activation_time(certificate_list
> +						[clist_size - 1])) {

I'd say it's not worth it, because the distrust-after property is asserted as a PKCS#11 attribute, and that means that ICAs also need to be present on the trust store.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1725#note_1314311999
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20230314/96b7043d/attachment-0001.html>


More information about the Gnutls-devel mailing list