[gnutls-help] gnutls_x509_crl_verify fails for new generated certificates or CRL
Adrien Béraud
adrien.beraud at savoirfairelinux.com
Wed Nov 30 22:15:41 CET 2016
I make use of GnuTLS certificate revocation list methods, including gnutls_x509_crl_verify, but it looks like there some issue:
gnutls_x509_crl_verify
calls
find_crl_issuer,
which calls
is_crl_issuer,
which calls
_gnutls_x509_compare_raw_dn
However it seems that the raw_dn field is not set for a new generated certificate, only for a certificate loaded using gnutls_x509_crt_import functions.
Also it seems the raw_issuer_dn field is not set for a new generated CRL, only for a CRL loaded using gnutls_x509_crl_import functions.
So that gnutls_x509_crl_verify fails when used with new generated certificate or CRL.
Also this means that if multiple new certificates and a new CRL are provided to gnutls_x509_crl_verify, any of the provided certificate will match since the raw DN is allays empty so allays equal.
Fortunately in this case the signature check would fail later in gnutls_x509_crl_verify so this might not be a security issue.
Can you confirm the issue ?
Thanks,
Adrien Beraud
Savoir-faire Linux
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20161130/ef3f602b/attachment.html>
More information about the Gnutls-help
mailing list