[gnutls-help] gnutls_x509_crl_verify fails for new generated certificates or CRL

Adrien Béraud adrien.beraud at savoirfairelinux.com
Wed Nov 30 22:15:41 CET 2016

I make use of GnuTLS certificate revocation list methods, including gnutls_x509_crl_verify, but it looks like there some issue: 

which calls 
which calls 

However it seems that the raw_dn field is not set for a new generated certificate, only for a certificate loaded using gnutls_x509_crt_import functions. 
Also it seems the raw_issuer_dn field is not set for a new generated CRL, only for a CRL loaded using gnutls_x509_crl_import functions. 

So that gnutls_x509_crl_verify fails when used with new generated certificate or CRL. 

Also this means that if multiple new certificates and a new CRL are provided to gnutls_x509_crl_verify, any of the provided certificate will match since the raw DN is allays empty so allays equal. 
Fortunately in this case the signature check would fail later in gnutls_x509_crl_verify so this might not be a security issue. 

Can you confirm the issue ? 

Adrien Beraud 
Savoir-faire Linux 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20161130/ef3f602b/attachment.html>

More information about the Gnutls-help mailing list