[gnutls-dev] NO_CERTIFICATE_FOUND if CA list is empty (CVS)

Andrew McDonald andrew at mcdonald.org.uk
Sun Mar 17 21:41:01 CET 2002

In the CVS version of gnutls I get a GNUTLS_E_NO_CERTIFICATE_FOUND
error if there are no CA certificates in the credentials list, e.g.
when the certificate file set through
gnutls_certificate_set_x509_trust_file is empty or does not exist.

This is because of the tcas_size == 0 check in
_gnutls_x509_verify_certificate. In 0.3.5 the tcas_size == 0 check in
gnutls_verify_certificate caused it to return GNUTLS_CERT_NOT_TRUSTED.

The 0.3.5 behaviour seems the correct one to me since the user may not
have any CAs and just wants to check the fingerprint of each
certificate by hand, especially in situations where the certificate is
likely to be self-signed.

Just getting rid of the tcas_size == 0 check at the start of
_gnutls_x509_verify_certificate should be enough, since
the later call to gnutls_verify_certificate2 will return/set
GNUTLS_CERT_NOT_TRUSTED if !(tcas_size >= 1). This will also ensure
that the EXPIRED and other flags are set as appropriate.

One line patch attached.

Andrew McDonald
E-mail: andrew at mcdonald.org.uk
-------------- next part --------------
--- x509_verify.c~	Sun Mar 17 20:35:30 2002
+++ x509_verify.c	Sun Mar 17 20:36:21 2002
@@ -368,7 +368,7 @@
 	int i = 0, ret;
 	CertificateStatus status=0;
-	if (tcas_size == 0 || clist_size == 0) {
+	if (clist_size == 0) {
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
URL: </pipermail/attachments/20020317/1c154216/attachment.pgp>

More information about the Gnutls-devel mailing list