Daniel Kahn Gillmor wrote: > On 11/26/2009 09:18 AM, Simon Josefsson wrote:
> [... What you want to do is > to put the ordered certificates (end-entity cert, followed by successive CA certs) in file A, and then the private key in a file B (only the end-entity's private key -- there's no need to have the private key for any intermediate CA). then call gnutls_certificate_set_x509_key_file once, pointing to A and B. With your help and Simon's, I have now managed to get verification to work this way using a proxy, the certificate with which I signed the proxy, and the CA's certificate. There are a couple of points I thought I'd mention, in case Simon would like to account for them when revising the documentation: 1. In the file `ex-verify.c', the following variables are global: gnutls_x509_crl_t *crl_list; int crl_list_size; gnutls_x509_crt_t *ca_list; int ca_list_size; They are passed to `verify_last_cert' by `verify_certificate_chain'. It was not clear to me where the values they contained were supposed to come from. I solved the problem by calling the following code in `main' (from Example 7.4.2 Echo Server with X.509 Authentication II): ca_list = malloc(sizeof(gnutls_x509_crt_t)); gnutls_certificate_get_x509_cas(cert_cred, &ca_list, &ca_list_size); ... free(ca_list); /* After we're done with verification */ ca_list = 0; (The variables had to be declared `extern' in the file that contains `main'.) Is this what I ought to be doing? 2. `gnutls_x509_crt_verify' sets the 'GNUTLS_CERT_INVALID' bit in its `*FLAGS' argument when the signer isn't a CA, which is the case when the certificate being tested is the proxy signed by my certificate. This isn't a serious problem, but it didn't work when I tried to use my non-CA certificate as a trusted CA file. I haven't tested this thoroughly, however. I would like for the clients to be able to just send a proxy, though they will have had to have sent a trusted certificate previously. It would be easier if I could use the latter as a trusted CA certificate, but I can work around this if this isn't possible. Thanks again for your help. Laurence Laurence Finston Gesellschaft fuer wissenschaftliche Datenverarbeitung mbH Am Fassberg 11 37077 Goettingen Telefon: +49 551 201-1882 E-Mail: [email protected] _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
