[gnutls-devel] certificate I can't import

Nikos Mavrogiannopoulos nmav at gnutls.org
Sun Aug 16 09:08:44 CEST 2015

On Sat, Aug 15, 2015 at 3:08 PM, Kurt Roeckx <kurt at roeckx.be> wrote:
>> ametzler at argenau:/tmp$ certtool --infile=/tmp/fail.pem -i --debug=4711
>> Setting log level to 4711
>> |<2>| Unknown SIGN OID: '1.2.840.113549.1.1.1'
>> |<2>| signatureAlgorithm.algorithm differs from tbsCertificate.signature.algorithm: RSA-SHA1, (null)
>> 1.2.840.113549.1.1.1 is "rsaEncryption", I *guess* that is not a valid
>> signature algoritm, it should read somethigng like sha1WithRSAEncryption.
> Right,
> OpenSSL also says:
> Signature Algorithm: rsaEncryption
> Signature Algorithm: sha1WithRSAEncryption
> It clearly should not pass validation, but is that a reason not to
> import the certificate?

 I decided to treat these errors as parsing errors, because their are
such. A certificate should have the same OID in these two fields, and
in that case it doesn't, so I believe failing to import it is the
reasonable thing to do. Importing it but failing on signature
verification would most likely create more confusion on why this was
not accepted as valid.


More information about the Gnutls-devel mailing list