[gnutls-devel] GnuTLS | certtool --to-p12 should place friendlyName on each certificate that matches a private key (#1263)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Thu Aug 5 15:56:12 CEST 2021

Daniel Kahn Gillmor created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1263

in `src/certtool.c`, in `generate_pkcs12(common_info_st * cinfo)`, we see:
		if (i == 0) {	/* only the first certificate gets the friendly name */

But all the included private keys get the friendlyName attribute.  (all keys and non-CA certs get the localKeyID attribute)

Some PKCS#12 importers might try to match certs with private keys by matching friendlyName *and* localKeyID attributes.  If one of the certs is missing the friendlyName and it has a corresponding private key, those importers might fail to find it.

Granted, those importers could match just on the localKeyID attribute, but in that case there's no reason for the friendlyName attribute at all.  If `certtool` is going to emit the `friendlyName` at all, it should:

- if there are no private keys, apply the friendlyName only to the first certificate (as it currently does)
- if there are private keys, it should apply the friendlyName to any certificate whose SPKI matches the public key corresponding to one of the private keys.

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1263
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20210805/e76925bc/attachment.html>

More information about the Gnutls-devel mailing list