On Thu, 2018-07-05 at 20:21 +0200, Markus Karch wrote: > Hello everyone, > I am trying to verify a certificate with > the gnutls_x509_trust_list_verify_crt()-function [1]. I can pass a > list of trusted CAs with the “list”-parameter. > My problem is that I also have a list of intermediate CAs which I do > not trust but should be used to build the certificate chain. > Something like the chain-parameter in the OpenSSL > function X509_STORE_CTX_init. According to the documentation I can > pass the certificate chain including the certificate which should be > verified via the cert_list-parameter of > the gnutls_x509_trust_list_verify_crt()-function . But is there a > possibility to build that chain with a list of untrusted intermediate > CAs?
The gnutls_x509_trust_list_verify_crt() takes as cert_list the untrusted list. If the flag GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN is not specified, then it will (re)create the chain/sort the list if it is not already sorted. You could then pass the end-certificate as first on the list and the untrusted intermediate CAs following it. That way the right list will be verified. Alternatively, if you'd like to "see" the sorted list, or if the list of untrusted intermediate CAs is large, you could insert them into a gnutls_x509_trust_list_t, and for the certificate you want you could use gnutls_x509_trust_list_get_issuer() recursively until you create the right list to provide to gnutls_x509_trust_list_verify_crt. regards, Nikos _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
