Bug#503833: Unparseable PKCS cert

Simon Josefsson simon at josefsson.org
Fri Nov 7 10:16:01 CET 2008


Nikos Mavrogiannopoulos <n.mavrogiannopoulos at gmail.com> writes:

> dann frazier wrote:
>
>> Thanks Nikos. Our Debian maintainer has applied your fix and uploaded
>> a package to our experimental repository. However, he does have some
>> concerns about ABI compatibility that may make it harder for us to get
>> it into the upcoming release:
>>   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503833
>> Specifically:
>>   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503833#23
>> I wonder if you have a take on this?
>
> Indeed it is an issue. Since this structure wasn't intended to be
> exported in the new version of libtasn1 it will not be available (so it
> will allow us to upgrade the library internals without changing the
> API). In 99% of the projects using libtasn1 this will not be an issue
> since this structure is not likely to be used.

I just realized: doesn't Nikos' patch actually do two separate things?

1) Add the BER stuff needed to support the PKCS#12 blob

2) Optimize tree generation by using the small_value field.

It is the 2) that causes the ABI break, but 1) that is needed to solve
to the regression.

Thinking about this, and speaking generally, I don't think optimizations
are important enough to warrant an ABI break without good justification.
Nikos, did you do any benchmarking?  How much is slowed down because of
this?

I'm beginning to feel that we should remove the small_value part of this
patch, to retain ABI compatibility.

/Simon





More information about the Gnutls-devel mailing list