[gnutls-devel] certificate I can't import

Kurt Roeckx kurt at roeckx.be
Sat Aug 15 15:08:25 CEST 2015


On Sat, Aug 15, 2015 at 02:28:09PM +0200, Andreas Metzler wrote:
> On 2015-08-15 Kurt Roeckx <kurt at roeckx.be> wrote:
> > I didn't have time yet to look into this myself, but I have a
> > bunch of certificates I can't import it with
> > gnutls_x509_crt_import().  I can perfectly read them with openssl
> > and can't see anything obvious wrong with them at a first look.
> > Can someone look at this?  I've attached an example.
> [...]
> 
> Hello,
> 
> ametzler at argenau:/tmp$ certtool --infile=/tmp/fail.pem -i --debug=4711
> Setting log level to 4711
> |<2>| Unknown SIGN OID: '1.2.840.113549.1.1.1'
> |<2>| signatureAlgorithm.algorithm differs from tbsCertificate.signature.algorithm: RSA-SHA1, (null)
> 
> 1.2.840.113549.1.1.1 is "rsaEncryption", I *guess* that is not a valid
> signature algoritm, it should read somethigng like sha1WithRSAEncryption.

Right,

OpenSSL also says:
Signature Algorithm: rsaEncryption
Signature Algorithm: sha1WithRSAEncryption

It clearly should not pass validation, but is that a reason not to
import the certificate?


Kurt




More information about the Gnutls-devel mailing list