[gnutls-dev] libgnutls failes to parse OpenSSL generated certificates

Simon Josefsson simon at josefsson.org
Wed Dec 27 19:28:02 CET 2006


Max Kellermann <max at duempel.org> writes:

> libgnutls refuses to parse the subject of certificates created by
> OpenSSL which have a userid attribute in their subject, i.e. oid
> 0.9.2342.19200300.100.1.1.  Output of "certtool -i":
>
> |<1>| Found OID: '0.9.2342.19200300.100.1.1' with value
>  '13066d6c61626962'
> get_dn: ASN1 parser: Error in TAG.
>
> gnutls generates certificates with an "ia5String" uid, while OpenSSL
> generates a "printableString".  The latter violates gnutls'
> lib/pkix.asn which states:
>
>  -- LDAP stuff
>  -- may not be correct
>  [...]
>  ldap-UID ::= IA5String
>
> Which is indeed not correct.  ldap-UID should be a DirectoryString.

I agree.

> On 2006/12/20 13:53, Max Kellermann <max at duempel.org> wrote:
>>  -- LDAP stuff
>>  -- may not be correct
>>  [...]
>>  ldap-UID ::= IA5String
>> 
>> Which is indeed not correct.  ldap-UID should be a DirectoryString.
>
> Here is a patch for this bug.  I had to add IA5String to the
> DirectoryString CHOICE.  This is obviously incorrect, but seems to be
> the only way to ensure that certificates generated by certtool can
> also be parsed.  Please correct me if there is a better solution.

I cannot think of one.  I have added a self-test in tests/userid/ to
make sure future versions of GnuTLS can read certificates with UID'd
encoded as IA5String (OpenSSL appear to handle this too), and
installed your patch.

Btw, I believe we need a copyright assignment from you to be able to
use more of your patches (which I'd really like to see happen!).  Is
this a problem?  Let me know and I can send you the forms offline.

> Just a note: my patch does not work with the included minitasn
> library, you need libtasn.

Why is that?  I updated the generated pkix_asn1_tab.c in CVS, which
should make it work with minitasn1.

/Simon



More information about the Gnutls-dev mailing list