[gnutls-devel] Restrictions on tag types
Kurt Roeckx
kurt at roeckx.be
Sun Jun 1 19:59:43 CEST 2014
On Sun, Jun 01, 2014 at 07:48:28PM +0200, Nikos Mavrogiannopoulos wrote:
> On Sun, 2014-06-01 at 12:44 +0200, Kurt Roeckx wrote:
> > Hi,
> >
> > In lib/x509/common.c there is this:
> > [...]
> > ENTRY("2.5.4.6", "C", NULL, ASN1_ETYPE_PRINTABLE_STRING),
> > ENTRY("2.5.4.9", "street", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID),
> > ENTRY("2.5.4.12", "title", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID),
> > ENTRY("2.5.4.10", "O", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID),
> > [...]
> > I'm seeing certificates that encode the "C" with an UTF8String and
> > not a PrintableString, which then result in getting an error that
> > it has invalid DER.
>
> It is invalid encoding as RFC5280 specifies:
> X520countryName ::= PrintableString
I guess I have missed that. Thanks. I guess this is
something I'll add to my list of tests at some point.
> How common are these certificates? Are they so widespread we would need
> to add support for them?
So for I only know about 1 such issuer. And it's in the DN of the
issuer itself so they would need to create a new CA.
Kurt
More information about the Gnutls-devel
mailing list