[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Checking expiry of my own certificates
From: |
Simon Josefsson |
Subject: |
Re: Checking expiry of my own certificates |
Date: |
Mon, 07 Jun 2010 17:37:11 +0200 |
User-agent: |
Gnus/5.110011 (No Gnus v0.11) Emacs/23.1 (gnu/linux) |
Michael Welsh Duggan <address@hidden> writes:
> I work on a project where we have written a client and server that use
> GnuTLS to communicate. Specifically, the client and server use
> gnutls_certificate_set_x509_trust_file() to load a CA and
> gnutls_certificate_set_x509_simple_pkcs12_file() to load a password
> protected certificate/key pair.
>
> Recently we have had an experience attempting to communicate using
> certificates that have expired. When using certs that have expired,
> the call to gnutls_certificate_verify_peers2() will set the
> GNUTLS_CERT_EXPIRED flag in the 'status' variable (assuming GnuTLS
> 2.6.6 or later---thanks for adding this check).
>
> What we would rather have happen is that when the client or server
> start, they check the expiration times on the certificates they read,
> and exit if they find no valid certificates. This saves us from
> attempting a connection that is going to be rejected because of the
> expired certificates.
>
> Once we've loaded the CA into the gnutls_certificate_credentials_t
> structure, we can use gnutls_certificate_get_x509_cas() to loop over
> the CAs and check their activation and expiration times (using
> gnutls_x509_crt_get_activation_time()).
>
> However, we don't see a way to do that with the certificate/key pair
> that we load. gnutls_x509_crt_list_verify() looks close, however it
> does not check the activation/expiration times, and we haven't found a
> function that lets me get a certificate list from a
> gnutls_certificate_credentials_t structure.
>
> Are we missing something? Are there other suggestions on how to perform
> this check?
Doesn't gnutls_x509_crt_list_verify check times? If I read the code for
gnutls_certificate_verify_peers2, it calls
_gnutls_x509_cert_verify_peers which calls gnutls_x509_crt_list_verify.
I can't find any time checks outside of that function.
Note that the function trims trusted certificates from the list of
certificates to check expiration dates on.
It could be a bug, see if you can create a small test case that calls
gnutls_x509_crt_list_verify on a chain which doesn't fail but should.
/Simon