Claws Mail uses GnuTLS...

Nikos Mavrogiannopoulos nmav at gnutls.org
Fri Oct 10 18:57:00 CEST 2008


Colin Leroy wrote:
> ... with only one little problem.
> 
> I've mailed about that a while ago, and am wondering whether any
> progress has been made:
> 
> http://www.nabble.com/libgnutls:-Verifying-certificate-chains,-disconnected-td13269707.html
> 
> We save the certificate in DER form, so we're able to check whether it
> changed, and also able to show it from a list of saved certificates,
> like this:
> 
> http://colino.net/tmp/offline_cert_check.png
> 
> The problem is that in this case, we can't get the signature status. 

About the certificate file that you mention, note that "trust" is a
local issue outside the scope of gnutls. If I trust verisign does not
mean you trust it too since you use gnutls. I'd understand some
distributions adding some trusted CA list under some specific criteria
and gnutls could work with that.

About the certificate verification, if I understand what you want to do,
there are no high level functions to verify a certificate using a
certificate list as the ones you describe.

However you can do it using the x.509 API though with the following (not
very efficient) procedure:

1. You load the trusted certificate list as well as the certificate to
be verified into memory

2. You convert the certificate to gnutls_x509_t structure using
gnutls_crt_import

3. You convert the CA certificate list using gnutls_x509_crt_list_import
to gnutls_x509_t structures

4. You verify the certificate against the CA list using
gnutls_x509_crt_verify


If you want to verify against CRLs[0]:
1. You get the issuer of the certificate using gnutls_x509_crt_get_issuer_dn

2. By traversing the imported CA list you find the issuer's certificate
(using gnutls_x509_crt_get_dn)

3. You use  gnutls_x509_crt_get_crl_dist_points the obtain the URL of
the CA's CRL list

4. You download the CRL

5. You import the CRL using gnutls_x509_crl_import

6. You verify that the CRL belongs to the CA you found using
gnutls_x509_crl_verify

7. You check if the certificate's serial number is in the CRL list
using gnutls_x509_crl_get_crt_serial



[0] There are some other protocols such as OCSP to verify for a revoked
certificate.





More information about the Gnutls-devel mailing list