[gnutls-devel] Support for OCSP Must-staple ?

Tim Kosse tim.kosse at filezilla-project.org
Wed Jun 1 18:40:53 CEST 2016 

Hi,

I had a look at the merge request. While I couldn't find any major
issues, there are still a few small things that should probably be fixed:

verify_crt in lib/x509/verify.c:
Function description still mentions the removed issuer parameter

verify_crt in lib/x509/verify.c:
The TLS feature check re-uses the nc_done label from the name
constraints checks. While the functionality is correct right now, it's
an easy source for errors should this function be changed in the future.
I suggest moving the TLS feature checking below the nc_done label and
adding a separate feat_done label.

gnutls_x509_tlsfeatures_crt in lib/x509/tls_features.c:
Line 240, format specifier doesn't match type of arguments. The size in
gnutls_x509_tlsfeatures_t is unsigned int.

parse_tlsfeatures in lib/x509/x509_ext.c:
The size limitation check should be done after the duplicate check,
otherwise appending fails when verifying chains where certificates use
the maximum allowed number of features.

tests/tlsfeature-ext.c:
Lines 145 and 146: The comment doesn't match the assert.

Regards,
Tim


On 2016-06-01 16:24, Nikos Mavrogiannopoulos wrote:
> On Mon, May 23, 2016 at 11:50 PM, Tim Kosse
> <tim.kosse at filezilla-project.org> wrote:
>> If I remember correctly, the following things are still missing:
>> - More unit tests
>> - Copying of the feature extension data from CRQs into the generated
>> certificates
> 
> Hi,
>  That was already handled (but needed the honor_crq_extensions
> template directive). I've included this as a functionality check in
> cert-tests/tlsfeature-test.
> 
>> - Dealing with certificate chains as described in section 4.2.2 of RFC7633
> 
> This should now be complete.
> https://gitlab.com/gnutls/gnutls/merge_requests/11
> 
> I've created it as a merge request, since it touches the verification
> boundary which is quite sensitive. If you (or anyone else) would like
> to review it, I'd appreciate it. The most concerning  commits are
> 132d3f84 and 39c1239c .
> 
> regards,
> Nikos
> 
> _______________________________________________
> Gnutls-devel mailing list
> Gnutls-devel at lists.gnutls.org
> http://lists.gnupg.org/mailman/listinfo/gnutls-devel
>

More information about the Gnutls-devel mailing list