[gnutls-devel] turkish CA certificate

Dmitriy Anisimkov anisimkov at ada-ru.org
Fri Jun 6 10:30:25 CEST 2014

On 2014-06-06 15:24, Nikos Mavrogiannopoulos wrote:
> On Fri, Jun 6, 2014 at 10:07 AM, Nikos Mavrogiannopoulos
> <nmav at gnutls.org> wrote:
>>> I guess it is trusted and public available.
>>> OpenSSL shows it correctly
>>> openssl x509 -in TURKTRUST_Certificate_Services_Provider_Root_1.pem.crt
>>> -text -noout
>>> But GNUTLS command
>>> certtool --infile TURKTRUST_Certificate_Services_Provider_Root_1.pem -i
>> Hello,
>>  This must be the same certificate Kurt reported few days ago. It
>> mis-encodes the country name as UTF8String rather than printable
>> string, and this is the reason decoding fails.
>> RFC5280 is strict on the encoding of countryName and that is a PrintableString:
>> X520countryName ::=     PrintableString (SIZE (2))
>> I guess all other implementations give some slack to the spec and
>> that's why they didn't notice. How important is that certificate would
>> it make sense to work around and allow such invalid encodings?
> I think there is a good work-around. I've modified gnutls' DN decoding
> to treat invalid encodings as unsupported elements, thus the country
> name will be printed using the hex notation (see below).
> CN=TÜRKTRUST Elektronik Sertifika Hizmet
> Sağlayıcısı,C=#0c025452,L=ANKARA,O=(c) 2005 TÜRKTRUST Bilgi İletişim
> ve Bilişim Güvenliği Hizmetleri A.Ş.

Ok. Thanks,, Frankly it was not critical for me, I just tested my
certificates container by the public available certificates and
found this wrong certificate.

Best Regargs,


More information about the Gnutls-devel mailing list