[gnutls-devel] turkish CA certificate
Nikos Mavrogiannopoulos
nmav at gnutls.org
Fri Jun 6 10:07:30 CEST 2014
On Fri, Jun 6, 2014 at 8:53 AM, Dmitriy Anisimkov <anisimkov at ada-ru.org> wrote:
> I got this certificate from OpenSUSE repository
> packageca-certificates-mozilla,
> I guess it is trusted and public available.
> OpenSSL shows it correctly
> openssl x509 -in TURKTRUST_Certificate_Services_Provider_Root_1.pem.crt
> -text -noout
> But GNUTLS command
> certtool --infile TURKTRUST_Certificate_Services_Provider_Root_1.pem -i
Hello,
This must be the same certificate Kurt reported few days ago. It
mis-encodes the country name as UTF8String rather than printable
string, and this is the reason decoding fails.
RFC5280 is strict on the encoding of countryName and that is a PrintableString:
X520countryName ::= PrintableString (SIZE (2))
I guess all other implementations give some slack to the spec and
that's why they didn't notice. How important is that certificate would
it make sense to work around and allow such invalid encodings?
regards,
Nikos
More information about the Gnutls-devel
mailing list