[gnutls-devel] GnuTLS | Make gnutls compliant to RFC5280 (!1550)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Tue Mar 15 17:47:47 CET 2022

Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1550 was reviewed by Daiki Ueno

Daiki Ueno started a new discussion on lib/x509/x509.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1550#note_875677759

> +
> +/* Check whether serial number is RFC5280 compliant */
> +static int check_serial(gnutls_x509_crt_t cert)

If this function returns 0 or 1, I'd suggest changing the return type to `unsigned` (or better, `bool`, given this is an internal function).

Daiki Ueno started a new discussion on lib/x509/x509.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1550#note_875677772

> +	/* enforce upper bound on certificate version (RFC5280 compliant) */
> +	if (version > 3) {

Can this be merged into the `if` block below, or perhaps this block should be enclosed with `#ifdef STRICT_X509` ... `#endif`?

Daiki Ueno started a new discussion on lib/pkix.asn: https://gitlab.com/gnutls/gnutls/-/merge_requests/1550#note_875677779

> -      -- so if it causes problems, considering dropping it. --
> -      ia5String               IA5String (SIZE(1..MAX)) }
> +      bmpString               BMPString (SIZE(1..MAX)) }

I think it's worth mentioning this change in NEWS. Also you might need to adjust or remove the `userid` test (which seems to have moved to `tests/cert-tests/userid.sh`)?

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1550
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20220315/ee410aca/attachment.html>

More information about the Gnutls-devel mailing list