gnutls_certificate_set_trust_list - Linux

Overview

gnutls_certificate_set_trust_list modifies the trust list for a given certificate in the GnuTLS library. It allows users to specify custom trust criteria for validating certificates, particularly useful in scenarios with custom PKI or self-signed certificate chains.

Syntax

gnutls_certificate_set_trust_list(certificate, trust_list);

Parameters:

  • certificate: The certificate handle representing the certificate whose trust list will be modified.
  • trust_list: An array of gnutls_certificate_type_t flags representing the trust conditions that the certificate must satisfy.

Options/Flags

The trust_list parameter can include the following flags (bitwise-OR them together for multiple conditions):

  • GNUTLS_CRT_SKIP_DNS_VERIFICATION – Skips DNS hostname verification for the certificate.
  • GNUTLS_CRT_IGNORE – Ignores all trust requirements for the certificate.
  • GNUTLS_CRT_X509 – Requires the certificate to be an X.509 certificate with a valid certificate chain.
  • GNUTLS_CRT_OPENPGP – Requires the certificate to be an OpenPGP certificate with a valid certificate chain.
  • GNUTLS_CRT_OPENPGP_FULL – Requires the OpenPGP certificate to fully match the requirements of RFC 4880.

Examples

Skipping DNS Hostname Verification

gnutls_certificate certificate;
int trust_list = GNUTLS_CRT_SKIP_DNS_VERIFICATION;

gnutls_certificate_set_trust_list(certificate, &trust_list);

Custom Trust List for Self-Signed Certificate

gnutls_certificate certificate;
int trust_list = GNUTLS_CRT_IGNORE | GNUTLS_CRT_OPENPGP;

gnutls_certificate_set_trust_list(certificate, &trust_list);

Common Issues

  • Ensure that the certificate handle is valid before modifying its trust list.
  • Double-check the trust conditions specified in the trust_list parameter. Misconfiguration can lead to incorrect certificate validation results.

Integration

gnutls_certificate_set_trust_list can be used in combination with other GnuTLS functions, such as gnutls_certificate_verify() and gnutls_certificate_list_set(), to implement custom certificate validation logic. It allows for fine-grained control over the trust criteria for certificates in various applications, including TLS clients and servers.

Related Commands

  • gnutls_certificate_verify() – Verifies a certificate based on the trust list and other specified criteria.
  • gnutls_certificate_list_set() – Sets the certificate chain to be used for verification.
  • gnutls_x509_crt_init() – Initializes an X.509 certificate structure.
  • gnutls_openpgp_crt_init() – Initializes an OpenPGP certificate structure.