gnutls_x509_crt_print omits AIA extension

Richard Moore rich at kde.org
Sun Jan 8 11:57:05 CET 2012 

On Sun, Jan 8, 2012 at 10:03 AM, Nikos Mavrogiannopoulos
<nmav at gnutls.org> wrote:
> On 01/07/2012 10:11 PM, Richard Moore wrote:
>
>> In the course of evaluating gnutls vs. openssl, I've spotted that
>> gnutls_x509_crt_print fails to display the AIA extension. Unknown
>> extensions are displayed properly (hexdump), so it's not simply that
>> the code doesn't understand it. This can be reproduced using the
>> supplied certtool:
>> certtool --infile gmail.pem --certificate-info
>> Just grab the cert from any valid site and you'll find the extension.
>> Compare the output with:
>> openssl x509 -text -in gmail.pem
>> (both the above commands were run using the pem of the gmail certificate).
>
>
> Which version of gnutls did you test? I just tested and the provided information
> are the same.

I'm using version 3.0.3 from suse 12.1 (package name is
gnutls-3.0.3-5.1.2.x86_64).
Here's the extensions section from cert tool for gmail's cert:

       Extensions:
                Basic Constraints (critical):
                        Certificate Authority (CA): FALSE
                CRL Distribution points (not critical):
                        URI: http://crl.thawte.com/ThawteSGCCA.crl
                Key Purpose (not critical):
                        TLS WWW Server.
                        TLS WWW Client.
                        2.16.840.1.113730.4.1
                Unknown extension 1.3.6.1.5.5.7.1.1 (not critical):
                        ASCII:
0d0"..+.....0...http://ocsp.thawte.com0>..+.....0..2http://www.thawte.com/repository/Thawte_SGC_CA.crt
                        Hexdump:
3064302206082b060105050730018616687474703a2f2f6f6373702e7468617774652e636f6d303e06082b060105050730028632687474703a2f2f7777772e7468617774652e636f6d2f7265706f7369746f72792f5468617774655f5347435f43412e637274

Here's the equivalent from openssl:

       X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl.thawte.com/ThawteSGCCA.crl

            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client
Authentication, Netscape Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.thawte.com
                CA Issuers -
URI:http://www.thawte.com/repository/Thawte_SGC_CA.crt

Regards

Rich.







>
> regards,
> Nikos

More information about the Gnutls-devel mailing list