[gnutls-devel] turkish CA certificate

Nikos Mavrogiannopoulos nmav at gnutls.org
Fri Jun 6 10:07:30 CEST 2014

On Fri, Jun 6, 2014 at 8:53 AM, Dmitriy Anisimkov <anisimkov at ada-ru.org> wrote:
> I got this certificate from OpenSUSE repository
> packageca-certificates-mozilla,
> I guess it is trusted and public available.
> OpenSSL shows it correctly
> openssl x509 -in TURKTRUST_Certificate_Services_Provider_Root_1.pem.crt
> -text -noout
> But GNUTLS command
> certtool --infile TURKTRUST_Certificate_Services_Provider_Root_1.pem -i

 This must be the same certificate Kurt reported few days ago. It
mis-encodes the country name as UTF8String rather than printable
string, and this is the reason decoding fails.
RFC5280 is strict on the encoding of countryName and that is a PrintableString:
X520countryName ::=     PrintableString (SIZE (2))

I guess all other implementations give some slack to the spec and
that's why they didn't notice. How important is that certificate would
it make sense to work around and allow such invalid encodings?


More information about the Gnutls-devel mailing list