manpagez: man pages & more
info gnutls
Home | html | info | man
[ << ] [ < ] [ Up ] [ > ] [ >> ]         [Top] [Contents] [Index] [ ? ]

4.1.3 Verifying X.509 certificate paths

Verifying certificate paths is important in X.509 authentication. For this purpose the following functions are provided.

The verification function will verify a given certificate chain against a list of certificate authorities and certificate revocation lists, and output a bit-wise OR of elements of the gnutls_certificate_status_t enumeration shown in Figure 4.2.

GNUTLS_CERT_INVALID

The certificate is not signed by one of the known authorities or the signature is invalid.

GNUTLS_CERT_REVOKED

Certificate is revoked by its authority. In X.509 this will be set only if CRLs are checked.

GNUTLS_CERT_SIGNER_NOT_FOUND

The certificate’s issuer is not known. This is the case if the issue is not included in the trusted certificate list. not found.

GNUTLS_CERT_SIGNER_NOT_CA

The certificate’s signer was not a CA. This may happen if this was a version 1 certificate, which is common with some CAs, or a version 3 certificate without the basic constrains extension.

GNUTLS_CERT_INSECURE_ALGORITHM

The certificate was signed using an insecure algorithm such as MD2 or MD5. These algorithms have been broken and should not be trusted.

GNUTLS_CERT_NOT_ACTIVATED

The certificate is not yet activated.

GNUTLS_CERT_EXPIRED

The certificate has expired.

Figure 4.2: The gnutls_certificate_status_t enumeration.

An example of certificate verification is shown in ex:verify2. It is also possible to have a set of certificates that are trusted for a particular server but not to authorize other certificates. This purpose is served by the functions gnutls_x509_trust_list_add_named_crt and gnutls_x509_trust_list_verify_named_crt.


[ << ] [ < ] [ Up ] [ > ] [ >> ]         [Top] [Contents] [Index] [ ? ]

This document was generated on March 23, 2012 using texi2html 5.0.

© manpagez.com 2000-2024
Individual documents may contain additional copyright information.