I make use of GnuTLS certificate revocation list methods, including gnutls_x509_crl_verify, but it looks like there some issue:
gnutls_x509_crl_verify calls find_crl_issuer, which calls is_crl_issuer, which calls _gnutls_x509_compare_raw_dn However it seems that the raw_dn field is not set for a new generated certificate, only for a certificate loaded using gnutls_x509_crt_import functions. Also it seems the raw_issuer_dn field is not set for a new generated CRL, only for a CRL loaded using gnutls_x509_crl_import functions. So that gnutls_x509_crl_verify fails when used with new generated certificate or CRL. Also this means that if multiple new certificates and a new CRL are provided to gnutls_x509_crl_verify, any of the provided certificate will match since the raw DN is allays empty so allays equal. Fortunately in this case the signature check would fail later in gnutls_x509_crl_verify so this might not be a security issue. Can you confirm the issue ? Thanks, Adrien Beraud Savoir-faire Linux
_______________________________________________ Gnutls-help mailing list Gnutls-help@lists.gnutls.org http://lists.gnupg.org/mailman/listinfo/gnutls-help