gnutls_x509_crt_print omits AIA extension

Richard Moore rich at kde.org
Sun Jan 8 11:58:46 CET 2012


On Sun, Jan 8, 2012 at 10:57 AM, Richard Moore <rich at kde.org> wrote:
> On Sun, Jan 8, 2012 at 10:03 AM, Nikos Mavrogiannopoulos
> <nmav at gnutls.org> wrote:
>> On 01/07/2012 10:11 PM, Richard Moore wrote:
>>
>>> In the course of evaluating gnutls vs. openssl, I've spotted that
>>> gnutls_x509_crt_print fails to display the AIA extension. Unknown
>>> extensions are displayed properly (hexdump), so it's not simply that
>>> the code doesn't understand it. This can be reproduced using the
>>> supplied certtool:
>>> certtool --infile gmail.pem --certificate-info
>>> Just grab the cert from any valid site and you'll find the extension.
>>> Compare the output with:
>>> openssl x509 -text -in gmail.pem
>>> (both the above commands were run using the pem of the gmail certificate).
>>
>>
>> Which version of gnutls did you test? I just tested and the provided information
>> are the same.
>
> I'm using version 3.0.3 from suse 12.1 (package name is
> gnutls-3.0.3-5.1.2.x86_64).
> Here's the extensions section from cert tool for gmail's cert:
>
>       Extensions:
>                Basic Constraints (critical):
>                        Certificate Authority (CA): FALSE
>                CRL Distribution points (not critical):
>                        URI: http://crl.thawte.com/ThawteSGCCA.crl
>                Key Purpose (not critical):
>                        TLS WWW Server.
>                        TLS WWW Client.
>                        2.16.840.1.113730.4.1
>                Unknown extension 1.3.6.1.5.5.7.1.1 (not critical):
>                        ASCII:
> 0d0"..+.....0...http://ocsp.thawte.com0>..+.....0..2http://www.thawte.com/repository/Thawte_SGC_CA.crt
>                        Hexdump:
> 3064302206082b060105050730018616687474703a2f2f6f6373702e7468617774652e636f6d303e06082b060105050730028632687474703a2f2f7777772e7468617774652e636f6d2f7265706f7369746f72792f5468617774655f5347435f43412e637274
>
> Here's the equivalent from openssl:
>
>       X509v3 extensions:
>            X509v3 Basic Constraints: critical
>                CA:FALSE
>            X509v3 CRL Distribution Points:
>
>                Full Name:
>                  URI:http://crl.thawte.com/ThawteSGCCA.crl
>
>            X509v3 Extended Key Usage:
>                TLS Web Server Authentication, TLS Web Client
> Authentication, Netscape Server Gated Crypto
>            Authority Information Access:
>                OCSP - URI:http://ocsp.thawte.com
>                CA Issuers -
> URI:http://www.thawte.com/repository/Thawte_SGC_CA.crt
>

Ah looking again, I can see that the AIA extension has been treated as
unknown (I'd assumed the unknown one would be the logo extension that
quite a few cert seem to have these days). I guess this version just
doesn't support AIA properly.

Rich.



> Regards
>
> Rich.
>
>
>
>
>
>
>
>>
>> regards,
>> Nikos




More information about the Gnutls-devel mailing list