[gnutls-help] pkcs12 format not understood by GNUTLS 3.1.18

Nikos Mavrogiannopoulos nmav at gnutls.org
Sat Jan 11 11:34:43 CET 2014

On 01/10/2014 11:16 PM, Daniel Kahn Gillmor wrote:

>> If CACert.crt is not included in the .pfx file, the code above
>> begins to work with the current GNUTLS release (3.1.18). Is this
>> the expected behavior?
> in lib/gnutls_x509.c, in version 3.1.18, in the comments above 
> so i'd say this is expected behavior -- based on the way the certs are
> place into the bag emitted by openssl pkcs12, gnutls doesn't know
> which cert to use when your .pfx file contains both the EE's cert and
> the CA's cert. I'm unsure why it loaded the complex .pfx file loads
> at all in 2.4.2. perhaps 2.4.2 will offer the wrong certificate to
> the TLS peer it communicates with if it loads the generated .pfx
> file?

 Most probably the old version returned the first certificate and key
found, and those happened to be the correct ones in that case.

However, in gnutls 3.1.18
gnutls_certificate_set_x509_simple_pkcs12_file() uses
gnutls_pkcs12_simple_parse() which does try to detect
the proper cert key pair based on the key ID which should
be the same on certificate and key.

I've updated the documentation, but I'm quite surprised that the
mismatch error is returned in that case. In fact if I understand well
that error should be returned after the PKCS#12 file is parsed and
loaded, by another sanity check that verifies that the added key has
the same public key algorithm as the certificate.

I added an additional test in tests/set_pkcs12_cred.c and
Anton I cannot reproduce the failure you see. Could you
provide the certificates and keys you use, or try to debug the
failure case yourself?


More information about the Gnutls-help mailing list