Problems handling X.509 certificates
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Mon Nov 30 19:50:47 CET 2009
On 11/30/2009 10:52 AM, lfinsto at gwdg.de wrote:
> 1. In the file `ex-verify.c', the following variables are global:
>
> gnutls_x509_crl_t *crl_list;
> int crl_list_size;
>
> gnutls_x509_crt_t *ca_list;
> int ca_list_size;
>
> They are passed to `verify_last_cert' by `verify_certificate_chain'. It
> was not clear to me where the values they contained were supposed to come
> from.
>
> I solved the problem by calling the following code in `main' (from Example
> 7.4.2 Echo Server with X.509 Authentication II):
>
> ca_list = malloc(sizeof(gnutls_x509_crt_t));
> gnutls_certificate_get_x509_cas(cert_cred, &ca_list, &ca_list_size);
According to the docs here:
http://www.gnu.org/software/gnutls/manual/html_node/Core-functions.html#gnutls_005fcertificate_005fget_005fx509_005fcas
It looks like you should *not* be allocating them yourself (and you
should not be freeing them either). In particular, these calls return
pointers to elements internal to the gnutls_certificate_credentials_t
object, and should probably be considered valid only as long as that
object remains unaltered.
Check out line 127 of lib/gnutls_cert.c to understand how they get set
by this function.
> 2. `gnutls_x509_crt_verify' sets the 'GNUTLS_CERT_INVALID' bit in its
> `*FLAGS' argument when the signer isn't a CA, which is the case when the
> certificate being tested is the proxy signed by my certificate. This
> isn't a serious problem, but it didn't work when I tried to use my non-CA
> certificate as a trusted CA file. I haven't tested this thoroughly,
> however. I would like for the clients to be able to just send a proxy,
> though they will have had to have sent a trusted certificate previously.
> It would be easier if I could use the latter as a trusted CA certificate,
> but I can work around this if this isn't possible.
Simon's response just now suggests that GnuTLS doesn't know how to
interact with proxy certificates. They're specified in RFC 3820, if
anyone wants to take a crack at implementing support for them.
http://tools.ietf.org/html/rfc3820
That would be a Good Thing, i think, if done properly.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 891 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20091130/78c36442/attachment.pgp>
More information about the Gnutls-help
mailing list