upgrading from 2 to 3: gnutls_certificate_get_x509_c{a,rl}s

Nikos Mavrogiannopoulos nmav at gnutls.org
Sat Aug 18 09:03:32 CEST 2012 

On 08/17/2012 09:31 PM, Thomas Klausner wrote:

> Hi!
> 
> First off: I know nothing about gnutls except what I can google
> together. I'm looking at compiling freeDiameter-1.1.2 on my system,
> which has gnutls-3.0.22 installed.
> It doesn't compile because of
> ../libfdcore/libfdcore.so.1.1.2: undefined reference to `gnutls_certificate_get_x509_crls'
> ../libfdcore/libfdcore.so.1.1.2: undefined reference to `gnutls_certificate_get_x509_cas'
> I found
> http://www.gnu.org/software/gnutls/manual/html_node/Upgrading-from-previous-versions.html
> which says:
> gnutls_certificate_get_x509_crls, gnutls_certificate_get_x509_cas:
> Removed to allow updating the internal structures. Replaced by
> gnutls_certificate_get_issuer.


Indeed. The above functions are no longer available.

> The code looks like this:
> 
>                 GNUTLS_TRACE( gnutls_certificate_get_x509_cas (fd_g_config->cnf_sec_data.credentials, &CA_list, (unsigned int *) &CA_list_length) );
>                 GNUTLS_TRACE( gnutls_certificate_get_x509_crls (fd_g_config->cnf_sec_data.credentials, &CRL_list, (unsigned int *) &CRL_list_length) );
>                 CHECK_GNUTLS_DO( gnutls_x509_crt_list_verify(certs, cert_max, CA_list, CA_list_length, CRL_list, CRL_list_length, 0, &verify),
>                         {
>                                 TRACE_DEBUG(INFO, "Failed to verify the local certificate '%s' against local credentials. Please check your certificate is valid.", fd_g_config->cnf_sec_data.cert_file);
>                                 return EINVAL;
>                         } );


What the code you quote is doing is verify certs of cert_max size
against the CA_list and CRL_list received from the previous calls.

You can do a similar thing using gnutls_certificate_get_issuer(). You
get the issuer of certs[cert_max-1] and verify against that. That would
something similar to:

CHECK_GNUTLS_DO(
gnutls_certificate_get_issuer(fd_g_config->cnf_sec_data.credentials,
certs[cert_max-1], &CA, 0), { error(cannot find issuer) } );

CHECK_GNUTLS_DO( gnutls_x509_crt_list_verify(certs, cert_max, CA, 1,
NULL, 0, 0, &verify), { error(failed to verify) } );

> I don't see how I can replace gnutls_certificate_get_x509_cas and

> gnutls_certificate_get_x509_crls with gnutls_certificate_get_issuer
> here because gnutls_x509_crt_list_verify needs CA_list and CRL_list
> filled out by the two functions.


The verification against the CRLs isn't available. If you want to do
elaborate verification you may use the functions at:
http://www.gnu.org/software/gnutls/manual/html_node/Verifying-X_002e509-certificate-paths.html#Verifying-X_002e509-certificate-paths

The certificate structure is supposed to be used by functions like
gnutls_certificate_verify_peers2().

> If we come up with a fix, the next question will be what you recommend
> on keeping code backwards compatible with gnutls-2.


In that case you'll have to use conditional code, or use
gnutls_certificate_verify_peers2() is possible (if in the actual snippet
above you're verifying the peer's certificate).

regards,
Nikos

More information about the Gnutls-help mailing list