gnutls_x509_crt_print omits AIA extension
Richard Moore
rich at kde.org
Sun Jan 8 11:58:46 CET 2012
On Sun, Jan 8, 2012 at 10:57 AM, Richard Moore <rich at kde.org> wrote:
> On Sun, Jan 8, 2012 at 10:03 AM, Nikos Mavrogiannopoulos
> <nmav at gnutls.org> wrote:
>> On 01/07/2012 10:11 PM, Richard Moore wrote:
>>
>>> In the course of evaluating gnutls vs. openssl, I've spotted that
>>> gnutls_x509_crt_print fails to display the AIA extension. Unknown
>>> extensions are displayed properly (hexdump), so it's not simply that
>>> the code doesn't understand it. This can be reproduced using the
>>> supplied certtool:
>>> certtool --infile gmail.pem --certificate-info
>>> Just grab the cert from any valid site and you'll find the extension.
>>> Compare the output with:
>>> openssl x509 -text -in gmail.pem
>>> (both the above commands were run using the pem of the gmail certificate).
>>
>>
>> Which version of gnutls did you test? I just tested and the provided information
>> are the same.
>
> I'm using version 3.0.3 from suse 12.1 (package name is
> gnutls-3.0.3-5.1.2.x86_64).
> Here's the extensions section from cert tool for gmail's cert:
>
> Extensions:
> Basic Constraints (critical):
> Certificate Authority (CA): FALSE
> CRL Distribution points (not critical):
> URI: http://crl.thawte.com/ThawteSGCCA.crl
> Key Purpose (not critical):
> TLS WWW Server.
> TLS WWW Client.
> 2.16.840.1.113730.4.1
> Unknown extension 1.3.6.1.5.5.7.1.1 (not critical):
> ASCII:
> 0d0"..+.....0...http://ocsp.thawte.com0>..+.....0..2http://www.thawte.com/repository/Thawte_SGC_CA.crt
> Hexdump:
> 3064302206082b060105050730018616687474703a2f2f6f6373702e7468617774652e636f6d303e06082b060105050730028632687474703a2f2f7777772e7468617774652e636f6d2f7265706f7369746f72792f5468617774655f5347435f43412e637274
>
> Here's the equivalent from openssl:
>
> X509v3 extensions:
> X509v3 Basic Constraints: critical
> CA:FALSE
> X509v3 CRL Distribution Points:
>
> Full Name:
> URI:http://crl.thawte.com/ThawteSGCCA.crl
>
> X509v3 Extended Key Usage:
> TLS Web Server Authentication, TLS Web Client
> Authentication, Netscape Server Gated Crypto
> Authority Information Access:
> OCSP - URI:http://ocsp.thawte.com
> CA Issuers -
> URI:http://www.thawte.com/repository/Thawte_SGC_CA.crt
>
Ah looking again, I can see that the AIA extension has been treated as
unknown (I'd assumed the unknown one would be the logo extension that
quite a few cert seem to have these days). I guess this version just
doesn't support AIA properly.
Rich.
> Regards
>
> Rich.
>
>
>
>
>
>
>
>>
>> regards,
>> Nikos
More information about the Gnutls-devel
mailing list