[gnutls-help] generating self signed cert - no way to set spki
Daiki Ueno
ueno at gnu.org
Thu Aug 27 13:26:13 CEST 2020
Curtis Villamizar <curtis at ipv6.occnc.com> writes:
> That is OK if using RSA. Doesn't help with EC CA certs.
Yes, because the gnutls_x509_spki_t structure was introduced to cover
the use-case of RSA-PSS. The question is why you determine that it's
the cause of the failure you are facing; if you are dealing with EC
certs, that structure shouldn't be used at all. That's why I'm asking
for a reproducer.
Aren't you able to achieve the same task with certtool either?
See also:
https://www.chiark.greenend.org.uk/~sgtatham/bugs.html#symptoms
:-)
Regards,
> Curtis
>
>
> In message <87y2m1cyck.fsf-ueno at gnu.org>
> Daiki Ueno writes:
>>
>> Hello Curtis,
>>
>> Curtis Villamizar <curtis at ipv6.occnc.com> writes:
>>
>> There are quite a lot here and I can't tell what is the root cause until
>> I see the code. Would it be possible to provide a standalone
>> reproducer?
>>
>> > So there are two issues here:
>> >
>> > 1. No way to fill in a spki struct. I may be missing something.
>>
>> This one is easy to answer: you can use gnutls_x509_spki_init,
>> gnutls_x509_spki_set_rsa_pss_params, and gnutls_x509_spki_deinit.
>>
>> Regards,
>> --
>> Daiki Ueno
>
> !DSPAM:5f46975d31589564056514466!
More information about the Gnutls-help
mailing list