Problems handling X.509 certificates

lfinsto at lfinsto at
Mon Nov 30 16:52:49 CET 2009

Daniel Kahn Gillmor wrote:

> On 11/26/2009 09:18 AM, Simon Josefsson wrote:

> [... What you want to do is
> to put the ordered certificates (end-entity cert, followed by successive
CA certs) in file A, and then the private key in a file B (only the
end-entity's private key -- there's no need to have the private key for
any intermediate CA).  then call gnutls_certificate_set_x509_key_file
once, pointing to A and B.

With your help and Simon's, I have now managed to get verification to work
this way using a proxy, the certificate with which I signed the proxy, and
the CA's certificate.  There are a couple of points I thought I'd mention,
in case Simon would like to account for them when revising the

1.  In the file `ex-verify.c', the following variables are global:

gnutls_x509_crl_t *crl_list;
int crl_list_size;

gnutls_x509_crt_t *ca_list;
int ca_list_size;

They are passed to `verify_last_cert' by `verify_certificate_chain'.  It
was not clear to me where the values they contained were supposed to come

I solved the problem by calling the following code in `main' (from Example
7.4.2 Echo Server with X.509 Authentication II):

ca_list = malloc(sizeof(gnutls_x509_crt_t));
gnutls_certificate_get_x509_cas(cert_cred, &ca_list, &ca_list_size);


free(ca_list);  /* After we're done with verification  */
ca_list = 0;

(The variables had to be declared `extern' in the file that contains `main'.)

Is this what I ought to be doing?

2.  `gnutls_x509_crt_verify' sets the 'GNUTLS_CERT_INVALID' bit in its
`*FLAGS' argument when the signer isn't a CA, which is the case when the
certificate being tested is the proxy signed by my certificate.  This
isn't a serious problem, but it didn't work when I tried to use my non-CA
certificate as a trusted CA file.  I haven't tested this thoroughly,
however.  I would like for the clients to be able to just send a proxy,
though they will have had to have sent a trusted certificate previously. 
It would be easier if I could use the latter as a trusted CA certificate,
but I can work around this if this isn't possible.

Thanks again for your help.


Laurence Finston
Gesellschaft fuer wissenschaftliche Datenverarbeitung mbH
Am Fassberg 11
37077 Goettingen

Telefon: 	+49 551 201-1882
E-Mail: 	lfinsto at

More information about the Gnutls-help mailing list