On Wed, Nov 30, 2016 at 10:15 PM, Adrien Béraud <adrien.ber...@savoirfairelinux.com> wrote: > I make use of GnuTLS certificate revocation list methods, including > gnutls_x509_crl_verify, but it looks like there some issue: > gnutls_x509_crl_verify > calls > find_crl_issuer, > which calls > is_crl_issuer, > which calls > _gnutls_x509_compare_raw_dn > > However it seems that the raw_dn field is not set for a new generated > certificate, only for a certificate loaded using gnutls_x509_crt_import > functions. > Also it seems the raw_issuer_dn field is not set for a new generated CRL, > only for a CRL loaded using gnutls_x509_crl_import functions. > So that gnutls_x509_crl_verify fails when used with new generated > certificate or CRL.
Right, newly generated CRLs and certificates are not fully usable. I think I should make that apparent in the _sign() functions of them. They need to go through the import phase to be used for verification. > Also this means that if multiple new certificates and a new CRL are provided > to gnutls_x509_crl_verify, any of the provided certificate will match since > the raw DN is allays empty so allays equal. > Fortunately in this case the signature check would fail later in > gnutls_x509_crl_verify so this might not be a security issue. DN matching does not offer an security guarrantee. The DN is what the certificate claims to be, rather than an ID assertion. The matching is used to discover a possible signer, but does not replace the signature verification process. regards, Nikos _______________________________________________ Gnutls-help mailing list Gnutls-help@lists.gnutls.org http://lists.gnupg.org/mailman/listinfo/gnutls-help