Re: gnutls fails to use Verisign CA cert without a Basic Constraint

[Douglas E. Engert]

Simon Josefsson wrote:
> If the patch is over 10 lines long we will need a copyright assignment
> before we can apply it though.  If you want to speed up the process, you
> could fill out the form below now.

I sent in the form to address@hidden They are sending a paper copy
which must be signed and mailed back. This may be a problem, as I will
have to get it OK'ed, which might take weeks.

So here is the short version of a "shorten the cert chain" patch that
is only 10 lines long. Do with it what you want. As this fixes
our problem, I consider it a bug fix.

But you will need to add a check_if_same_cert routine, which can be
taken from the first half of the check_if_ca routine. The line numbers
may be off, but in the 2.6.3 version, it would be inserted at line 394.

This will also solve our problem, as V1 cert will not get used at all
ans the intermediate cert is trusted and is V3.

Thanks.

--

 Douglas E. Engert  <address@hidden>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444

--- x509/,verify.c      2009-01-06 14:02:41.000000000 -0600
+++ x509/verify.c       2009-01-14 10:47:43.000000000 -0600
@@ -397,6 +482,16 @@
         }
     }
 
+  /* Shorten cert chain at point we find a trusted cert */
+  for (i = 1; i < clist_size; i++) {
+    int j;
+    for (j = 0; j < tcas_size; j++) {
+      if (check_if_same_cert (certificate_list[i], trusted_cas[j], flags) == 
1) { 
+        clist_size = i;
+        break;
+      }
+    }
+  }
   /* Verify the last certificate in the certificate path
    * against the trusted CA certificate list.
    *