| [ << ] | [ < ] | [ Up ] | [ > ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
4.2.2 Verifying X.509 certificate paths
Verifying certificate paths is important in X.509 authentication. For this purpose the following functions are provided.
The verification function will verify a given certificate chain against a list of certificate
authorities and certificate revocation lists, and output
a bit-wise OR of elements of the gnutls_certificate_status_t
enumeration shown in Table 4.3.
- GNUTLS_CERT_INVALID The certificate is not signed by one of the known authorities or the signature is invalid.
- GNUTLS_CERT_REVOKED Certificate is revoked by its authority. In X.509 this will be set only if CRLs are checked.
- GNUTLS_CERT_SIGNER_NOT_FOUND The certificate’s issuer is not known. This is the case if the issue is not included in the trusted certificate list. not found.
- GNUTLS_CERT_SIGNER_NOT_CA The certificate’s signer was not a CA. This may happen if this was a version 1 certificate, which is common with some CAs, or a version 3 certificate without the basic constrains extension.
- GNUTLS_CERT_INSECURE_ALGORITHM The certificate was signed using an in- secure algorithm such as MD2 or MD5. These algorithms have been broken and should not be trusted.
- GNUTLS_CERT_NOT_ACTIVATED The certificate is not yet activated.
- GNUTLS_CERT_EXPIRED The certificate has expired.
Table 4.3
An example of certificate verification is shown in ex:verify2. It is also possible to have a set of certificates that are trusted for a particular server but not to authorize other certificates. This purpose is served by the functions gnutls_x509_trust_list_add_named_crt and gnutls_x509_trust_list_verify_named_crt.
| [ << ] | [ < ] | [ Up ] | [ > ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
This document was generated on January 4, 2012 using texi2html 5.0.