[gnutls-help] Cert in DER, a pleasant surprise...?

Nikos Mavrogiannopoulos n.mavrogiannopoulos at gmail.com
Wed Mar 27 08:13:05 CET 2019


On Tue, 2019-03-26 at 21:19 +0100, Rick van Rein wrote:
> Hi,
> 
> I read in your docs on "gnutls_certificate_get_crt_raw ()" that it
> intends to "return the DER encoded certificate of the server".  That
> raises a few questions.
> 
> 1.
> Did you mean to return the _peer_ certificate, or always the _server_
> certificate?

Hi,
 This returns the certificate as in the credentials structure.

> 2.
> When the certificate is not DER-encoded, do you recode it?  That
> would be quite useful! This is not a PEM-or-DER question but BER-or-
> DER.  The
> TBSCertificate needs to be canonical so DER, but the Certificate
> around
> it may be BER, as specified in .  Not sure everyone knows this... and
> having it repackaged would be pleasant to stop bugs caused by it.

I'd treat that as an implementation detail. We used to always DER-re-
encode certificates, but that caused problems interoperating with
golang applications which used to generate certificates not following
DER very strictly, thus gnutls was breaking the signatures for them.

regards,
Nikos





More information about the Gnutls-help mailing list