[gnutls-help] generating self signed cert - no way to set spki

Daiki Ueno ueno at gnu.org
Thu Aug 27 13:26:13 CEST 2020

Curtis Villamizar <curtis at ipv6.occnc.com> writes:

> That is OK if using RSA.  Doesn't help with EC CA certs.

Yes, because the gnutls_x509_spki_t structure was introduced to cover
the use-case of RSA-PSS.  The question is why you determine that it's
the cause of the failure you are facing; if you are dealing with EC
certs, that structure shouldn't be used at all.  That's why I'm asking
for a reproducer.

Aren't you able to achieve the same task with certtool either?

See also:


> Curtis
> In message <87y2m1cyck.fsf-ueno at gnu.org>
> Daiki Ueno writes:
>> Hello Curtis,
>> Curtis Villamizar <curtis at ipv6.occnc.com> writes:
>> There are quite a lot here and I can't tell what is the root cause until
>> I see the code.  Would it be possible to provide a standalone
>> reproducer?
>> > So there are two issues here:
>> >
>> >   1.  No way to fill in a spki struct.  I may be missing something.
>> This one is easy to answer: you can use gnutls_x509_spki_init,
>> gnutls_x509_spki_set_rsa_pss_params, and gnutls_x509_spki_deinit.
>> Regards,
>> -- 
>> Daiki Ueno
> !DSPAM:5f46975d31589564056514466!

More information about the Gnutls-help mailing list