[gnutls-help] deleting an extension from a x509 certificate

Nikos Mavrogiannopoulos nmav at gnutls.org
Thu May 22 17:28:36 CEST 2014

On Thu, May 22, 2014 at 11:42 AM, DEXTER <mydexterid at gmail.com> wrote:
> Sure. In a proxy firewall environment, you have the server's certificate,
> and you want to copy that cert exactly as is, but you want to remove some of
> the extensions and show that to the client.
> In case of OpenSSL you have an api for that:
> int idx = X509_get_ext_by_NID( cert, nid, -1 ); //get the index
> X509_EXTENSION *ext = X509_get_ext(cert, idx); //get the extension
> if (ext != NULL){ //check that the extension was found
>     X509_delete_ext(cert, idx); //delete the extension
>     X509_EXTENSION_free(ext); //free the memory
> }
> It would be great if GnuTLS had this functionality too.
> Without this api, can you tell me what is the way to copy a certificate and
> only remove some of the extensions from it?

As it is now you have to create a new certificate and copy everything
you need there. In 3.3.x it is a bit simpler as you can simply copy
the DER-encoded extensions, but there is no API to manipulate
certificates, other than add elements. What you specify can be indeed
useful to have, but I don't plan to work on it any time soon. I'd
certainly consider adding that if you contribute the needed pieces.


More information about the Gnutls-help mailing list