Checking expiry of my own certificates

Michael Welsh Duggan mwd at cert.org
Wed Jun 2 16:59:42 CEST 2010


I work on a project where we have written a client and server that use
GnuTLS to communicate.  Specifically, the client and server use
gnutls_certificate_set_x509_trust_file() to load a CA and
gnutls_certificate_set_x509_simple_pkcs12_file() to load a password
protected certificate/key pair.

Recently we have had an experience attempting to communicate using
certificates that have expired.  When using certs that have expired,
the call to gnutls_certificate_verify_peers2() will set the
GNUTLS_CERT_EXPIRED flag in the 'status' variable (assuming GnuTLS
2.6.6 or later---thanks for adding this check).

What we would rather have happen is that when the client or server
start, they check the expiration times on the certificates they read,
and exit if they find no valid certificates.  This saves us from
attempting a connection that is going to be rejected because of the
expired certificates.

Once we've loaded the CA into the gnutls_certificate_credentials_t
structure, we can use gnutls_certificate_get_x509_cas() to loop over
the CAs and check their activation and expiration times (using
gnutls_x509_crt_get_activation_time()).

However, we don't see a way to do that with the certificate/key pair
that we load.  gnutls_x509_crt_list_verify() looks close, however it
does not check the activation/expiration times, and we haven't found a
function that lets me get a certificate list from a
gnutls_certificate_credentials_t structure.

Are we missing something?  Are there other suggestions on how to perform
this check?

-- 
Michael Welsh Duggan
(mwd at cert.org)




More information about the Gnutls-help mailing list