[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[gnutls-dev] gnutls_certificate_verify_peers2() does not handle expirati
From: |
Rupert Kittinger |
Subject: |
[gnutls-dev] gnutls_certificate_verify_peers2() does not handle expirations |
Date: |
Fri, 3 Jun 2005 15:53:03 +0200 (CEST) |
Hi everybody,
I think the x509 certificate check performed by
gnutls_certificate_verify_peers2() is not sufficient, because it does not
validate the various time constraints (activation/expiration of
certificates, CAs, CRLs).
I propose adding the following function:
int gnutls_certificate_verify_peers3 (gnutls_session session, unsigned int
* status, time_t then)
that has the following semantics:
- perform the same checks as gnutls_certificate_verify_peers2()
- for every certificate in the chain, check for activation and expiration
- if a crl is available for a CA and the nextUpdate field is available,
check for expiration.
add validation flags for the new error conditions.
with the current API, these checks can only be performed by duplicating
some of the code to get to the certificates, resp. crls.
also, I did not find any checks for unknown critical extensions. As far as
I know, these should also cause validation failure. Did I overlook
something?
cheers,
Rupert
--
Rupert Kittinger <address@hidden>
- [gnutls-dev] gnutls_certificate_verify_peers2() does not handle expirations,
Rupert Kittinger <=