Checking expiry of my own certificates
Simon Josefsson
simon at josefsson.org
Mon Jun 7 17:37:11 CEST 2010
Michael Welsh Duggan <mwd at cert.org> writes:
> I work on a project where we have written a client and server that use
> GnuTLS to communicate. Specifically, the client and server use
> gnutls_certificate_set_x509_trust_file() to load a CA and
> gnutls_certificate_set_x509_simple_pkcs12_file() to load a password
> protected certificate/key pair.
>
> Recently we have had an experience attempting to communicate using
> certificates that have expired. When using certs that have expired,
> the call to gnutls_certificate_verify_peers2() will set the
> GNUTLS_CERT_EXPIRED flag in the 'status' variable (assuming GnuTLS
> 2.6.6 or later---thanks for adding this check).
>
> What we would rather have happen is that when the client or server
> start, they check the expiration times on the certificates they read,
> and exit if they find no valid certificates. This saves us from
> attempting a connection that is going to be rejected because of the
> expired certificates.
>
> Once we've loaded the CA into the gnutls_certificate_credentials_t
> structure, we can use gnutls_certificate_get_x509_cas() to loop over
> the CAs and check their activation and expiration times (using
> gnutls_x509_crt_get_activation_time()).
>
> However, we don't see a way to do that with the certificate/key pair
> that we load. gnutls_x509_crt_list_verify() looks close, however it
> does not check the activation/expiration times, and we haven't found a
> function that lets me get a certificate list from a
> gnutls_certificate_credentials_t structure.
>
> Are we missing something? Are there other suggestions on how to perform
> this check?
Doesn't gnutls_x509_crt_list_verify check times? If I read the code for
gnutls_certificate_verify_peers2, it calls
_gnutls_x509_cert_verify_peers which calls gnutls_x509_crt_list_verify.
I can't find any time checks outside of that function.
Note that the function trims trusted certificates from the list of
certificates to check expiration dates on.
It could be a bug, see if you can create a small test case that calls
gnutls_x509_crt_list_verify on a chain which doesn't fail but should.
/Simon
More information about the Gnutls-help
mailing list