Working around wrong algorithm specification in certificates

Mads Kiilerich mads at
Tue Jul 20 13:07:34 CEST 2010

  Nikos Mavrogiannopoulos wrote, On 07/20/2010 09:48 AM:
> On Tue, Jul 20, 2010 at 1:14 AM, Mads Kiilerich<mads at>  wrote:
>>   Hi
>> I am trying to use GnuTLS in an application where I for interoperability
>> need to read the public key of x509 certificates.
>> But gnutls_x509_crt_get_pk_rsa_raw fails - because
>> gnutls_x509_crt_get_pk_algorithm returns GNUTLS_PK_UNKNOWN, because the
>> public key oid is SIG_RSA_MD5_OID 1.2.840.113549.1.1.4 instead of the
>> PK_PKIX1_RSA_OID 1.2.840.113549.1.1.1 it should have been.
>> Do you have any idea how I can workaround that? In NSS and openssl it is
>> possible to patch the parsed cert, but it seems like that isn't possible
>> with GnuTLS?
> Do you want to fix the certificate or just read it? If you want to
> read it open gnutls_algorithms.c and add an extra entry to
> pk_algorithms structure for RSA with the OID you describe. Then you
> should be able to read the key. If you want to "fix" it I think this
> is as easy as regenerating it.

The application has to be able to read such certificates. That is how 
windows creates certificates for terminal services...

I would like to able to use the gnutls library installed on the system, 
so patching gnutls source isn't really an option. There is no other way 
to do it? You don't want to pollute your code with workarounds or 
flexibility for stupid bugs like this?


More information about the Gnutls-help mailing list