[gnutls-help] GnuTLS: Building of a certificate chain

[Nikos Mavrogiannopoulos]

On Thu, 2018-07-05 at 20:21 +0200, Markus Karch wrote:
> Hello everyone,
> I am trying to verify a certificate with
> the gnutls_x509_trust_list_verify_crt()-function [1]. I can pass a
> list of trusted CAs with the “list”-parameter. 
> My problem is that I also have a list of intermediate CAs which I do
> not trust but should be used to build the certificate chain.
> Something like the chain-parameter in the OpenSSL
> function X509_STORE_CTX_init.  According to the documentation I can
> pass the certificate chain including the certificate which should be
> verified via the cert_list-parameter of
> the gnutls_x509_trust_list_verify_crt()-function . But is there a
> possibility to build that chain with a list of untrusted intermediate
> CAs?

The gnutls_x509_trust_list_verify_crt() takes as cert_list the
untrusted list. If the flag GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN
is not specified, then it will (re)create the chain/sort the list if it
is not already sorted. You could then pass the end-certificate as first
on the list and the untrusted intermediate CAs following it. That way
the right list will be verified.

Alternatively, if you'd like to "see" the sorted list, or if the list
of untrusted intermediate CAs is large, you could insert them into a
gnutls_x509_trust_list_t, and for the certificate you want you could
use gnutls_x509_trust_list_get_issuer() recursively until you create
the right list to provide to gnutls_x509_trust_list_verify_crt.

regards,
Nikos