<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">

<html lang="en">

<head>

<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">

<title>

GitLab

</title>

<style>img {

max-width: 100%; height: auto;

}

</style>

</head>

<body>

<div class="content">

<div></div>

<h2 dir="auto">

<a id="user-content-description-of-problem" class="anchor" href="#description-of-problem" aria-hidden="true"></a>Description of problem:</h2>

<p dir="auto">CRL Distribution Point is not written to signed certificate, when specified in template.</p>

<h2 dir="auto">

<a id="user-content-version-of-gnutls-used" class="anchor" href="#version-of-gnutls-used" aria-hidden="true"></a>Version of gnutls used:</h2>

<p dir="auto">3.6.5</p>

<h2 dir="auto">

<a id="user-content-distributor-of-gnutls-eg-ubuntu-fedora-rhel" class="anchor" href="#distributor-of-gnutls-eg-ubuntu-fedora-rhel" aria-hidden="true"></a>Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)</h2>

<p dir="auto">Ubuntu (3.6.5-2ubuntu1)</p>

<h2 dir="auto">

<a id="user-content-how-reproducible" class="anchor" href="#how-reproducible" aria-hidden="true"></a>How reproducible:</h2>

<p dir="auto">root-ca.cfg</p>

<p dir="auto"><code>organization = "Initech" cn = "Initech Root CA" expiration_days = 700 ca cert_signing_key crl_signing_key</code></p>

<p dir="auto">ca.cfg</p>

<p dir="auto"><code>organization = "Initech" cn = "Initech CA" expiration_days = 350 crl_dist_points = "http://crl.initech.lan/Initech_Root_CA.crl" ca signing_key cert_signing_key crl_signing_key path_len = 0</code></p>

<p dir="auto"><code>certtool --generate-privkey --sec-param high --outfile Initech_Root_CA-key.pem certtool --generate-self-signed --load-privkey Initech_Root_CA-key.pem --template root-ca.cfg --outfile Initech_Root_CA-cert.pem certtool --generate-privkey --sec-param medium --outfile Initech_CA-key.pem certtool --generate-request --load-privkey Initech_CA-key.pem --template ca.cfg --outfile Initech_CA-csr.pem certtool --generate-certificate --load-ca-privkey Initech_Root_CA-key.pem --load-ca-certificate Initech_Root_CA-cert.pem --load-request Initech_CA-csr.pem --template ca.cfg --outfile Initech_CA-cert.pem</code></p>

<h2 dir="auto">

<a id="user-content-actual-results" class="anchor" href="#actual-results" aria-hidden="true"></a>Actual results:</h2>

<p dir="auto">No CDP in subsidiary CA. The code doesn't honor the CDP in template. It only tries to copy CDP from the signing CA. It doesn't make sense to copy CDP from signing CA. The CDP is different for the CA and a signed certificate.</p>

<h2 dir="auto">

<a id="user-content-expected-results" class="anchor" href="#expected-results" aria-hidden="true"></a>Expected results:</h2>

<p dir="auto">At least a CDP in certificate and preferrably only the ones in the template.</p>

<h2 dir="auto">

<a id="user-content-proposed-fix" class="anchor" href="#proposed-fix" aria-hidden="true"></a>Proposed fix:</h2>

<p dir="auto">In certtool.c

Remove gnutls_x509_crt_cpy_crl_dist_points(crt, ca_crt);

Add get_crl_dist_point_set(crt)</p>

</div>

<div class="footer" style="margin-top: 10px;">

<p style="font-size: small; color: #777;">

—

<br>

Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/issues/765">view it on GitLab</a>.

<br>

You're receiving this email because of your account on gitlab.com.

If you'd like to receive fewer emails, you can

<a href="https://gitlab.com/sent_notifications/65e8aed3868684b25564f52f9d072e0e/unsubscribe">unsubscribe</a>

from this thread or

adjust your notification settings.

<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/issues/765"}}</script>

</p>

</div>

</body>

</html>