[gnutls-help] deleting an extension from a x509 certificate

DEXTER mydexterid at gmail.com
Fri May 23 10:45:29 CEST 2014


I see. We haven't decided yet whether to use GnuTLS or OpenSSL, but if we
decide to go with GnuTLS I'll certainly make that patch.

Thank you.


On Thu, May 22, 2014 at 5:28 PM, Nikos Mavrogiannopoulos <nmav at gnutls.org>wrote:

> On Thu, May 22, 2014 at 11:42 AM, DEXTER <mydexterid at gmail.com> wrote:
> > Sure. In a proxy firewall environment, you have the server's certificate,
> > and you want to copy that cert exactly as is, but you want to remove
> some of
> > the extensions and show that to the client.
> > In case of OpenSSL you have an api for that:
> > int idx = X509_get_ext_by_NID( cert, nid, -1 ); //get the index
> > X509_EXTENSION *ext = X509_get_ext(cert, idx); //get the extension
> > if (ext != NULL){ //check that the extension was found
> >     X509_delete_ext(cert, idx); //delete the extension
> >     X509_EXTENSION_free(ext); //free the memory
> > }
> >
> > It would be great if GnuTLS had this functionality too.
> > Without this api, can you tell me what is the way to copy a certificate
> and
> > only remove some of the extensions from it?
>
> As it is now you have to create a new certificate and copy everything
> you need there. In 3.3.x it is a bit simpler as you can simply copy
> the DER-encoded extensions, but there is no API to manipulate
> certificates, other than add elements. What you specify can be indeed
> useful to have, but I don't plan to work on it any time soon. I'd
> certainly consider adding that if you contribute the needed pieces.
>
> regards,
> Nikos
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20140523/3156d56c/attachment.html>


More information about the Gnutls-help mailing list