[gnutls-devel] turkish CA certificate

Nikos Mavrogiannopoulos nmav at gnutls.org
Fri Jun 6 10:24:48 CEST 2014

On Fri, Jun 6, 2014 at 10:07 AM, Nikos Mavrogiannopoulos
<nmav at gnutls.org> wrote:
>> I guess it is trusted and public available.
>> OpenSSL shows it correctly
>> openssl x509 -in TURKTRUST_Certificate_Services_Provider_Root_1.pem.crt
>> -text -noout
>> But GNUTLS command
>> certtool --infile TURKTRUST_Certificate_Services_Provider_Root_1.pem -i
> Hello,
>  This must be the same certificate Kurt reported few days ago. It
> mis-encodes the country name as UTF8String rather than printable
> string, and this is the reason decoding fails.
> RFC5280 is strict on the encoding of countryName and that is a PrintableString:
> X520countryName ::=     PrintableString (SIZE (2))
> I guess all other implementations give some slack to the spec and
> that's why they didn't notice. How important is that certificate would
> it make sense to work around and allow such invalid encodings?

I think there is a good work-around. I've modified gnutls' DN decoding
to treat invalid encodings as unsupported elements, thus the country
name will be printed using the hex notation (see below).
CN=TÜRKTRUST Elektronik Sertifika Hizmet
Sağlayıcısı,C=#0c025452,L=ANKARA,O=(c) 2005 TÜRKTRUST Bilgi İletişim
ve Bilişim Güvenliği Hizmetleri A.Ş.


More information about the Gnutls-devel mailing list