Working around wrong algorithm specification in certificates

Nikos Mavrogiannopoulos nmav at gnutls.org
Sat Jul 24 10:55:50 CEST 2010


On 07/24/2010 03:06 AM, Mads Kiilerich wrote:

>>> I can see that you added PK_X509_RSA_OID since 2.10.0. Could this
>>> perhaps be added too?
>>> There is also anecdotical evidence that SIG_RSA_SHA1_OID needs the same
>>> treatment. I haven't seen that, but getting both fixed at once could be
>>> great.
>> I've added them to the 2.10.x branch. I've not added the SHA1_OID but if
>> you have some certificates using it, I'll add it. Clearly this OID
>> shouldn't have been there!
> 
> Thanks!
> 
> The anecdote of the need for SIG_RSA_SHA1_OID could be tracked down to
> the comments on
> http://sourceforge.net/tracker/index.php?func=detail&aid=1744033&group_id=24366&atid=381349
> . But the BER encoded certificate on
> https://developer.mozilla.org/en/Introduction_to_Public-Key_Cryptography#A_Typical_Certificate
> (which despite the text _not_ is what is displayed) also uses
> tbsCertificate.subjectPublicKeyInfo.algorithm=sha1WithRSAEncryption.
> Please consider adding support for that too.
I've added that too.

> If you are going to make a release from gnutls_2_10_x then I hope you
> will include "Correctly deinitialize crypto API handles." as well.
The fix is already there so it will be included.

> However, according to NEWS you have released 2.11.0 already - but it is
> not on ftp://ftp.gnu.org/pub/gnu/gnutls/ ?
It is development release so it is available on alpha.gnu.org (not yet)
and ftp.gnutls.org/pub/gnutls/devel only.

regards,
Nikos




More information about the Gnutls-help mailing list