[gnutls-help] gnutls_x509_crl_verify fails for new generated certificates or CRL
adrien.beraud at savoirfairelinux.com
Wed Nov 30 22:15:41 CET 2016
I make use of GnuTLS certificate revocation list methods, including gnutls_x509_crl_verify, but it looks like there some issue:
However it seems that the raw_dn field is not set for a new generated certificate, only for a certificate loaded using gnutls_x509_crt_import functions.
Also it seems the raw_issuer_dn field is not set for a new generated CRL, only for a CRL loaded using gnutls_x509_crl_import functions.
So that gnutls_x509_crl_verify fails when used with new generated certificate or CRL.
Also this means that if multiple new certificates and a new CRL are provided to gnutls_x509_crl_verify, any of the provided certificate will match since the raw DN is allays empty so allays equal.
Fortunately in this case the signature check would fail later in gnutls_x509_crl_verify so this might not be a security issue.
Can you confirm the issue ?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnutls-help