Working around wrong algorithm specification in certificates

Nikos Mavrogiannopoulos nmav at
Tue Jul 20 13:33:20 CEST 2010

On Tue, Jul 20, 2010 at 1:07 PM, Mads Kiilerich <mads at> wrote:
>> Do you want to fix the certificate or just read it? If you want to
>> read it open gnutls_algorithms.c and add an extra entry to
>> pk_algorithms structure for RSA with the OID you describe. Then you
>> should be able to read the key. If you want to "fix" it I think this
>> is as easy as regenerating it.
> The application has to be able to read such certificates. That is how
> windows creates certificates for terminal services...
> I would like to able to use the gnutls library installed on the system, so
> patching gnutls source isn't really an option. There is no other way to do
> it?
Since it is a certificate you cannot modify it without breaking the
signature. The most straightforward way to fix that is to (1) fix the
one who is generating the wrong certificates, (2) fix the one who is
reading them to account for the broken ones.

> You don't want to pollute your code with workarounds or flexibility for
> stupid bugs like this?
I was thinking about your copy of gnutls :) If the fix works and the
problem is general the workaround might be included in the gnutls code
as well. I've seen quite some implementations putting wrong OIDs here
and there, and working around those practices is not that exceptional
any more.


More information about the Gnutls-help mailing list