[Help-gnutls] Re: libgnutls: Verifying certificate chains, disconnected
Simon Josefsson
simon at josefsson.org
Fri Oct 19 11:18:08 CEST 2007
Colin Leroy <colin at colino.net> writes:
>> > At this step however, there's no connection to the server running,
>> > so I can only use gnutls_x509_crt_verify(), and that doesn't check
>> > the issuer certificate(s), so I always have GNUTLS_CERT_INVALID...
>> > Whereas using OpenSSL, I could use X509_verify_cert(&store) and
>> > openssl checks the whole chain.
>> >
>> > Do you have any pointers for that?
>>
>> Check the source code for gnutls_certificate_verify_peers2, it
>> contains what you have to do externally. I don't think if there is a
>> better interface available.
>
> I've looked at it, but this code seems really closely interlaced with
> things done at session start, and I couldn't figure out how to get the
> certificates list starting from a gnutls_x509_crt...
The server provides the list, so if you are offline you need to
construct the list yourself somehow.
The X.509 interface in GnuTLS isn't ideal for non-TLS purposes, perhaps
your needs are better served by creating a 'libx509' with the relevant
functions stripped out from GnuTLS and improved with the functions you
need. Or we could extend libksba, which is GnuPG's X.509 library.
/Simon
More information about the Gnutls-help
mailing list