Colin Leroy <[EMAIL PROTECTED]> writes: >> > At this step however, there's no connection to the server running, >> > so I can only use gnutls_x509_crt_verify(), and that doesn't check >> > the issuer certificate(s), so I always have GNUTLS_CERT_INVALID... >> > Whereas using OpenSSL, I could use X509_verify_cert(&store) and >> > openssl checks the whole chain. >> > >> > Do you have any pointers for that? >> >> Check the source code for gnutls_certificate_verify_peers2, it >> contains what you have to do externally. I don't think if there is a >> better interface available. > > I've looked at it, but this code seems really closely interlaced with > things done at session start, and I couldn't figure out how to get the > certificates list starting from a gnutls_x509_crt...
The server provides the list, so if you are offline you need to construct the list yourself somehow. The X.509 interface in GnuTLS isn't ideal for non-TLS purposes, perhaps your needs are better served by creating a 'libx509' with the relevant functions stripped out from GnuTLS and improved with the functions you need. Or we could extend libksba, which is GnuPG's X.509 library. /Simon _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
