[PATCH] add gnutls_certificate_find_issuer

Nikos Mavrogiannopoulos nmav at gnutls.org
Wed Feb 20 13:52:54 CET 2008

On Feb 19, 2008 11:33 PM, Joe Orton <jorton at redhat.com> wrote:

> When an SSL handshake takes place and a server cert cannot be verified
> for some reason (commonName mismatch, for example), the neon API then
> needs to expose the whole server cert chain to the application, so that
> it can be presented to a user for manual verification.
> gnutls_certificate_get_peers() will not necessarily return that whole
> chain, so neon needs some way to recreate the chain based on the
> configured set of trusted certs.  That is what
> gnutls_certificate_find_issuer() is for.
> Does that make sense?
> With respect to exposing structure contents directly, I would generally
> advocate exposing functions instead where possible, since structures
> bring restrictive ABI constraints.

Indeed but I'm thinking that someone might do more than check a single
issuer. He might want to print the whole imported list. In that case
I'd use something like gnutls_certificate_export_x509_cas() that will
return the whole list of issuers, and your check can be done at the
application level. Would something like this suit you?


More information about the Gnutls-devel mailing list