On 11/30/2009 10:52 AM, [email protected] wrote: > 1. In the file `ex-verify.c', the following variables are global: > > gnutls_x509_crl_t *crl_list; > int crl_list_size; > > gnutls_x509_crt_t *ca_list; > int ca_list_size; > > They are passed to `verify_last_cert' by `verify_certificate_chain'. It > was not clear to me where the values they contained were supposed to come > from. > > I solved the problem by calling the following code in `main' (from Example > 7.4.2 Echo Server with X.509 Authentication II): > > ca_list = malloc(sizeof(gnutls_x509_crt_t)); > gnutls_certificate_get_x509_cas(cert_cred, &ca_list, &ca_list_size);
According to the docs here: http://www.gnu.org/software/gnutls/manual/html_node/Core-functions.html#gnutls_005fcertificate_005fget_005fx509_005fcas It looks like you should *not* be allocating them yourself (and you should not be freeing them either). In particular, these calls return pointers to elements internal to the gnutls_certificate_credentials_t object, and should probably be considered valid only as long as that object remains unaltered. Check out line 127 of lib/gnutls_cert.c to understand how they get set by this function. > 2. `gnutls_x509_crt_verify' sets the 'GNUTLS_CERT_INVALID' bit in its > `*FLAGS' argument when the signer isn't a CA, which is the case when the > certificate being tested is the proxy signed by my certificate. This > isn't a serious problem, but it didn't work when I tried to use my non-CA > certificate as a trusted CA file. I haven't tested this thoroughly, > however. I would like for the clients to be able to just send a proxy, > though they will have had to have sent a trusted certificate previously. > It would be easier if I could use the latter as a trusted CA certificate, > but I can work around this if this isn't possible. Simon's response just now suggests that GnuTLS doesn't know how to interact with proxy certificates. They're specified in RFC 3820, if anyone wants to take a crack at implementing support for them. http://tools.ietf.org/html/rfc3820 That would be a Good Thing, i think, if done properly. --dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
