[gnutls-dev] libgnutls failes to parse OpenSSL generated certificates
Simon Josefsson
simon at josefsson.org
Wed Dec 27 19:28:02 CET 2006
Max Kellermann <max at duempel.org> writes:
> libgnutls refuses to parse the subject of certificates created by
> OpenSSL which have a userid attribute in their subject, i.e. oid
> 0.9.2342.19200300.100.1.1. Output of "certtool -i":
>
> |<1>| Found OID: '0.9.2342.19200300.100.1.1' with value
> '13066d6c61626962'
> get_dn: ASN1 parser: Error in TAG.
>
> gnutls generates certificates with an "ia5String" uid, while OpenSSL
> generates a "printableString". The latter violates gnutls'
> lib/pkix.asn which states:
>
> -- LDAP stuff
> -- may not be correct
> [...]
> ldap-UID ::= IA5String
>
> Which is indeed not correct. ldap-UID should be a DirectoryString.
I agree.
> On 2006/12/20 13:53, Max Kellermann <max at duempel.org> wrote:
>> -- LDAP stuff
>> -- may not be correct
>> [...]
>> ldap-UID ::= IA5String
>>
>> Which is indeed not correct. ldap-UID should be a DirectoryString.
>
> Here is a patch for this bug. I had to add IA5String to the
> DirectoryString CHOICE. This is obviously incorrect, but seems to be
> the only way to ensure that certificates generated by certtool can
> also be parsed. Please correct me if there is a better solution.
I cannot think of one. I have added a self-test in tests/userid/ to
make sure future versions of GnuTLS can read certificates with UID'd
encoded as IA5String (OpenSSL appear to handle this too), and
installed your patch.
Btw, I believe we need a copyright assignment from you to be able to
use more of your patches (which I'd really like to see happen!). Is
this a problem? Let me know and I can send you the forms offline.
> Just a note: my patch does not work with the included minitasn
> library, you need libtasn.
Why is that? I updated the generated pkix_asn1_tab.c in CVS, which
should make it work with minitasn1.
/Simon
More information about the Gnutls-devel
mailing list