blocking certificates directly in the library

[Raphael Geissert]

Hi,

As you may have noticed through openssl's DSA, openssl blocks DigiNotar's 
certificates directly in libssl. I have now had enough time to write a similar 
patch for gnutls.

Attached is my proposed patch against 2.12.12. Just like in openssl's case it 
is more a hack than a solution, but a useful one nonetheless.
The main difference between the version for openssl and this one is that while 
ossl does build and verify the complete chain, gnutls only checks the ones 
that it doesn't consider trusted. I've worked around that behaviour by 
checking the issuer and it seems to do the trick for all my test cases.

The bit that needs to be clarified is what happens whenever the field or value 
is missing. In those cases I'd just skip the check, however, I didn't consider 
checking for ASN1_VALUE_NOT_FOUND in verify.c appropriate.

Could you please review and comment on the patch? would you agree to include 
it in the package (including the *stable releases)?
Please do forward it to whoever you deem appropriate.

The attached patch should not yet be included in any package, since it also 
blocks another CA whose root has asked to hold on applying the revocation for 
a few more days.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: add_x509_ca_blacklist.212.v1.patch
Type: text/x-patch
Size: 974 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20111106/345ce91f/attachment.bin>