[gnutls-devel] [PATCH] Check for all error conditions when verifying a certificate

Nikos Mavrogiannopoulos nmav at gnutls.org
Sat Sep 13 09:44:26 CEST 2014


On Fri, 2014-09-12 at 14:16 -0400, Armin Burgmeier wrote:

Thanks. Some comments inline.

> -	if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN) &&
> -	    ((flags & GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT)
> -	     || issuer_version != 1)) {
> +	} else if (issuer != NULL &&
> +                   !(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN) &&
> +	           ((flags & GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT)
> +	            || issuer_version != 1)) {

After this point wouldn't it make sense to have one large block with an
if (issuer != NULL)? (or at least one that is interrupted at some
point). I'm worried about the multiple checks for if not NULL, as it is
easy to miss one.

>  	if (func) {
>  		if (result == 0) {
>  			out |= GNUTLS_CERT_INVALID;
> @@ -1414,7 +1401,6 @@ gnutls_x509_crl_verify(gnutls_x509_crl_t crl,
>  			*verify |=
>  			    GNUTLS_CERT_SIGNER_NOT_FOUND |
>  			    GNUTLS_CERT_INVALID;
> -		return 0;
>  	}
>  
>  	if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN)) {
> @@ -1424,7 +1410,6 @@ gnutls_x509_crl_verify(gnutls_x509_crl_t crl,
>  				*verify |=
>  				    GNUTLS_CERT_SIGNER_NOT_CA |
>  				    GNUTLS_CERT_INVALID;
> -			return 0;
>  		}

Shouldn't the if (issuer != NULL) be repeated here as well? Even if
gnutls_x509_crt_get_ca_status() doesn't crash, you'll most probably get
a flag GNUTLS_CERT_SIGNER_NOT_CA, which is misleading as there is no
signer there.

regards,
Nikos





More information about the Gnutls-devel mailing list