5.1.2 Verifying X.509 Certificate Paths

Verifying certificate paths is important in X.509 authentication. For this purpose the function gnutls_x509_crt_verify is provided. The output of this function is the bitwise OR of the elements of the gnutls_certificate_status_t enumeration. A detailed description of these elements can be found in figure below. The function gnutls_certificate_verify_peers2 is equivalent to the previous one, and will verify the peer’s certificate in a TLS session.

GNUTLS_CERT_INVALID:

The certificate is not signed by one of the known authorities, or the signature is invalid.

GNUTLS_CERT_REVOKED:

The certificate has been revoked by its CA.

GNUTLS_CERT_SIGNER_NOT_FOUND:

The certificate’s issuer is not known. This is the case when the issuer is not in the trusted certificates list.

GNUTLS_CERT_SIGNER_NOT_CA:

The certificate’s signer was not a CA. This may happen if this was a version 1 certificate, which is common with some CAs, or a version 3 certificate without the basic constrains extension.

GNUTLS_CERT_INSECURE_ALGORITHM:

The certificate was signed using an insecure algorithm such as MD2 or MD5. These algorithms have been broken and should not be trusted.

There is also to possibility to pass some input to the verification functions in the form of flags. For gnutls_x509_crt_verify the flags are passed straightforward, but gnutls_certificate_verify_peers2 depends on the flags set by calling gnutls_certificate_set_verify_flags. All the available flags are part of the enumeration gnutls_certificate_verify_flags and are explained in the table below.

GNUTLS_VERIFY_DISABLE_CA_SIGN:

If set a signer does not have to be a certificate authority. This flag should normaly be disabled, unless you know what this means.

GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT:

Allow only trusted CA certificates that have version 1. This is safer than GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT, and should be used instead. That way only signers in your trusted list will be allowed to have certificates of version 1.

GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT:

Allow CA certificates that have version 1 (both root and intermediate). This is dangerous since those haven’t the basicConstraints extension. Must be used in combination with GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT.

GNUTLS_VERIFY_DO_NOT_ALLOW_SAME:

If a certificate is not signed by anyone trusted but exists in the trusted CA list do not treat it as trusted.

GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2:

Allow certificates to be signed using the old MD2 algorithm.

GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5:

Allow certificates to be signed using the broken MD5 algorithm.

Although the verification of a certificate path indicates that the certificate is signed by trusted authority, does not reveal anything about the peer’s identity. It is required to verify if the certificate’s owner is the one you expect. For more information consult [RFC2818] (see section Bibliography) and section ex:verify for an example.