[PATCH] add gnutls_certificate_find_issuer
Nikos Mavrogiannopoulos
nmav at gnutls.org
Wed Feb 20 13:52:54 CET 2008
On Feb 19, 2008 11:33 PM, Joe Orton <jorton at redhat.com> wrote:
> When an SSL handshake takes place and a server cert cannot be verified
> for some reason (commonName mismatch, for example), the neon API then
> needs to expose the whole server cert chain to the application, so that
> it can be presented to a user for manual verification.
>
> gnutls_certificate_get_peers() will not necessarily return that whole
> chain, so neon needs some way to recreate the chain based on the
> configured set of trusted certs. That is what
> gnutls_certificate_find_issuer() is for.
> Does that make sense?
> With respect to exposing structure contents directly, I would generally
> advocate exposing functions instead where possible, since structures
> bring restrictive ABI constraints.
Indeed but I'm thinking that someone might do more than check a single
issuer. He might want to print the whole imported list. In that case
I'd use something like gnutls_certificate_export_x509_cas() that will
return the whole list of issuers, and your check can be done at the
application level. Would something like this suit you?
regards,
Nikos
More information about the Gnutls-devel
mailing list