gnuTLS issues

Simon Josefsson simon at
Wed Aug 27 16:46:25 CEST 2008

"Nikos Mavrogiannopoulos" <nmav at> writes:

> On Tue, Aug 26, 2008 at 10:36 PM, Simon Josefsson <simon at> wrote:
>> That means it has been broken since v0.9.0 and nobody has missed it.  I
>> think we should remove the code, it seems nobody needs the feature and
>> removing code decreases complexity.
>> People can use 'certtool --p7-info' to convert PKCS#7 blobs into lists
>> of PEM certificates.  I tried it and it works fine on the OpenSSL file.
> Isn't it the code being used by --p7-info?

Ah, no.  What I suggest is to remove the code to read PKCS#7 certificate
chains in the gnutls_certificate_set_x509_key* functions.

The current code hasn't worked since v0.9.0 and apparently nobody has
missed it, see tests/set_pkcs7_cred.c for example code.  Storing
certificate chains in PKCS#7 blobs is not what that standard is intended
for.  Getting rid of the code may speed up loading certificate slightly,
and will definitely improve code readability.

The PKCS#7 functions used by certtool --p7-info are fine.

What do you think?


More information about the Gnutls-devel mailing list