Checking CA expiration
Michael Welsh Duggan
mwd at cert.org
Thu Oct 20 21:37:13 CEST 2011
Nikos Mavrogiannopoulos <nmav at gnutls.org> writes:
> On 10/19/2011 08:30 PM, Michael Welsh Duggan wrote:
>> In our code, we add CAs to our credentials using
>> gnutls_set_x509_trust_file. In gnutls 2.x, we then get a list of the
>> CAs using gnutls_certificate_get_x509_cas which we then use to verify
>> that at least one of the CAs has not yet expired. We want to do this
>> _before_ initiating a session.
>> Is this possible in gnutls 3.x? gnutls_certificate_get_x509_cas has
>> gone away, supposedly in favor of gnutls_certificate_get_issuer(), but
>> that requires an existing session.
>
> Why not use gnutls_x509_crt_list_import() or
> gnutls_x509_crt_list_import2() and traverse the list of the CAs? The
> access to the the CA list in the credentials structure has been
> restricted to allow for future internal changes.
Yup this works. There are so many API calls, it can be difficult to
determine which ones to use.
--
Michael Welsh Duggan
(mwd at cert.org)
More information about the Gnutls-help
mailing list