help-gnutls
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Checking expiry of my own certificates

From: Simon Josefsson
Subject: Re: Checking expiry of my own certificates
Date: Mon, 07 Jun 2010 17:37:11 +0200
User-agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.1 (gnu/linux) 
Michael Welsh Duggan <address@hidden> writes:

> I work on a project where we have written a client and server that use
> GnuTLS to communicate.  Specifically, the client and server use
> gnutls_certificate_set_x509_trust_file() to load a CA and
> gnutls_certificate_set_x509_simple_pkcs12_file() to load a password
> protected certificate/key pair.
>
> Recently we have had an experience attempting to communicate using
> certificates that have expired.  When using certs that have expired,
> the call to gnutls_certificate_verify_peers2() will set the
> GNUTLS_CERT_EXPIRED flag in the 'status' variable (assuming GnuTLS
> 2.6.6 or later---thanks for adding this check).
>
> What we would rather have happen is that when the client or server
> start, they check the expiration times on the certificates they read,
> and exit if they find no valid certificates.  This saves us from
> attempting a connection that is going to be rejected because of the
> expired certificates.
>
> Once we've loaded the CA into the gnutls_certificate_credentials_t
> structure, we can use gnutls_certificate_get_x509_cas() to loop over
> the CAs and check their activation and expiration times (using
> gnutls_x509_crt_get_activation_time()).
>
> However, we don't see a way to do that with the certificate/key pair
> that we load.  gnutls_x509_crt_list_verify() looks close, however it
> does not check the activation/expiration times, and we haven't found a
> function that lets me get a certificate list from a
> gnutls_certificate_credentials_t structure.
>
> Are we missing something?  Are there other suggestions on how to perform
> this check?

Doesn't gnutls_x509_crt_list_verify check times?  If I read the code for
gnutls_certificate_verify_peers2, it calls
_gnutls_x509_cert_verify_peers which calls gnutls_x509_crt_list_verify.
I can't find any time checks outside of that function.

Note that the function trims trusted certificates from the list of
certificates to check expiration dates on.

It could be a bug, see if you can create a small test case that calls
gnutls_x509_crt_list_verify on a chain which doesn't fail but should.

/Simon
reply via email to
[Prev in Thread] Current Thread [Next in Thread]