gnutls_certificate_set_trust_list - Linux
Overview
gnutls_certificate_set_trust_list
modifies the trust list for a given certificate in the GnuTLS library. It allows users to specify custom trust criteria for validating certificates, particularly useful in scenarios with custom PKI or self-signed certificate chains.
Syntax
gnutls_certificate_set_trust_list(certificate, trust_list);
Parameters:
- certificate: The certificate handle representing the certificate whose trust list will be modified.
- trust_list: An array of
gnutls_certificate_type_t
flags representing the trust conditions that the certificate must satisfy.
Options/Flags
The trust_list
parameter can include the following flags (bitwise-OR them together for multiple conditions):
GNUTLS_CRT_SKIP_DNS_VERIFICATION
– Skips DNS hostname verification for the certificate.GNUTLS_CRT_IGNORE
– Ignores all trust requirements for the certificate.GNUTLS_CRT_X509
– Requires the certificate to be an X.509 certificate with a valid certificate chain.GNUTLS_CRT_OPENPGP
– Requires the certificate to be an OpenPGP certificate with a valid certificate chain.GNUTLS_CRT_OPENPGP_FULL
– Requires the OpenPGP certificate to fully match the requirements of RFC 4880.
Examples
Skipping DNS Hostname Verification
gnutls_certificate certificate;
int trust_list = GNUTLS_CRT_SKIP_DNS_VERIFICATION;
gnutls_certificate_set_trust_list(certificate, &trust_list);
Custom Trust List for Self-Signed Certificate
gnutls_certificate certificate;
int trust_list = GNUTLS_CRT_IGNORE | GNUTLS_CRT_OPENPGP;
gnutls_certificate_set_trust_list(certificate, &trust_list);
Common Issues
- Ensure that the
certificate
handle is valid before modifying its trust list. - Double-check the trust conditions specified in the
trust_list
parameter. Misconfiguration can lead to incorrect certificate validation results.
Integration
gnutls_certificate_set_trust_list
can be used in combination with other GnuTLS functions, such as gnutls_certificate_verify()
and gnutls_certificate_list_set()
, to implement custom certificate validation logic. It allows for fine-grained control over the trust criteria for certificates in various applications, including TLS clients and servers.
Related Commands
gnutls_certificate_verify()
– Verifies a certificate based on the trust list and other specified criteria.gnutls_certificate_list_set()
– Sets the certificate chain to be used for verification.gnutls_x509_crt_init()
– Initializes an X.509 certificate structure.gnutls_openpgp_crt_init()
– Initializes an OpenPGP certificate structure.