[gnutls-help] RFC4514 compliance in gnutls_x509_crt_get_dn()?

Nikos Mavrogiannopoulos nmav at gnutls.org
Fri Jul 15 13:43:04 CEST 2016


On Fri, Jul 15, 2016 at 12:01 PM, Pierre Ossman <ossman at cendio.se> wrote:
> Hi,
>
> I was looking at gnutls_x509_crt_get_dn() as a way to generate string
> representations of DNs according to RFC4514. But there are two things that
> strike me as being out of spec:
>  - The order of RDNs is wrong. GnuTLS outputs them first-to-last, but
> RFC4514 states:

It seems you are right, indeed, the strings output by gnutls is first
to last. Would you be interested in fixing that, or contribute a unit
test for various encodings and their expected output string (similarly
to tests/base64.c)?

>  - The oid list includes some things not in the IANA registry. E.g.
> 1.3.6.1.4.1.311.60.2.1.3 and XmppAddr.

Is that really an issue?

> The oid list also seems a bit arbitrary, which could make interoperability a
> bit annoying. :/

It is based on what we currently see in PKIX certificates. What kind
of interoperability are you concerned of?

regards,
Nikos



More information about the Gnutls-help mailing list