[gnutls-help] generating self signed cert - no way to set spki

Curtis Villamizar curtis at ipv6.occnc.com
Sat Aug 29 13:31:12 CEST 2020

A bug report has been created.

testcase c++ file provided.  gnutls patch provided.  testcases with
unpatch gnutls fails.  With gnutls patch testcases that are expected
to work do work.  Patch may mask the problem rather than fix it.
Details in the bug report.  Email here is just to close the thread and
move any further discussion to the bug report.


In message <cmu-lmtpd-5917-1598641844-0 at mda23.v6cc2.occnc.com>
Curtis Villamizar writes:

In message <87imd4fhyi.fsf-ueno at gnu.org>
Daiki Ueno writes:
> Curtis Villamizar <curtis at ipv6.occnc.com> writes:
> > That is OK if using RSA.  Doesn't help with EC CA certs.
> Yes, because the gnutls_x509_spki_t structure was introduced to cover
> the use-case of RSA-PSS.  The question is why you determine that it's
> the cause of the failure you are facing; if you are dealing with EC
> certs, that structure shouldn't be used at all.  That's why I'm asking
> for a reproducer.

Right.  I thought what I found in the core dump was a hint as to why I
was trying to initialize an spki struct.

   I'm working with code that worked with prior releases of gnutls (a
   year ago?) but with the current version (3.6.14)
   gnutls_x509_crt_sign2 produces a GNUTLS_E_ASN1_ELEMENT_NOT_FOUND
   apparently in _gnutls_x509_pkix_sign when it tries
   _gnutls_privkey_get_spki_params .

This is from taking a core file and then putting debug statements in
the gnutls code.  If it should not be asking for a spki struct then
that is a possible hint (for me to look at my code).  I couldn't read
the spki from the key since gnutls_x509_*_get_spki produced
GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE looking for spki parameters
applicable only to RSA-PSS.

I've tried a bunch of things using my older working key and cert files
and certtool and got various errors from certtool but nothing that
sheds much light on this so I'll have to produce cooked down source
code to reproduce the errors.

> Aren't you able to achieve the same task with certtool either?

I use my own software to generate keys and certs from configuration
files.  I had many years ago used a perl program that did execs to
openssl and looked at the gnutls command line tools as well.  This was
very cumbersome.  Too much info would need to go into perl program
generated config files to run either openssl or gnutls command line
tools and there were some things that were a pain to do (such as check
to see if params in the keys and certs in use matched the latest
configs which required parsing the ascii output).

> See also:
> https://www.chiark.greenend.org.uk/~sgtatham/bugs.html#symptoms
> :-)

Thanks for the useful pointer.

> Regards,

Thanks for looking at this.  I didn't want to leave the conversation
hanging but can't get to this right away.  After getting cooked down c
code to simplify reproducing this I'll get back to you.

> > Curtis
> >
> >
> > In message <87y2m1cyck.fsf-ueno at gnu.org>
> > Daiki Ueno writes:
> >> 
> >> Hello Curtis,
> >>  
> >> Curtis Villamizar <curtis at ipv6.occnc.com> writes:
> >>  
> >> There are quite a lot here and I can't tell what is the root cause until
> >> I see the code.  Would it be possible to provide a standalone
> >> reproducer?
> >>  
> >> > So there are two issues here:
> >> >
> >> >   1.  No way to fill in a spki struct.  I may be missing something.
> >>  
> >> This one is easy to answer: you can use gnutls_x509_spki_init,
> >> gnutls_x509_spki_set_rsa_pss_params, and gnutls_x509_spki_deinit.
> >>  
> >> Regards,
> >> -- 
> >> Daiki Ueno
> >
> > !DSPAM:5f46975d31589564056514466!

More information about the Gnutls-help mailing list