Nikos Mavrogiannopoulos wrote, On 07/21/2010 09:23 AM:
Mads Kiilerich wrote:
You don't want to pollute your code with workarounds or flexibility for
stupid bugs like this?
I was thinking about your copy of gnutls :) If the fix works and the
problem is general the workaround might be included in the gnutls code
as well. I've seen quite some implementations putting wrong OIDs here
and there, and working around those practices is not that exceptional
any more.
This patch works for me and 2.10.0:
--- gnutls-2.10.0/lib/gnutls_algorithms.c.org 2010-07-20
22:57:35.000000000 +0200
+++ gnutls-2.10.0/lib/gnutls_algorithms.c 2010-07-20
22:57:07.000000000 +0200
@@ -2125,6 +2125,7 @@
{"DSA", PK_DSA_OID, GNUTLS_PK_DSA},
{"GOST R 34.10-2001", PK_GOST_R3410_2001_OID, 0},
{"GOST R 34.10-94", PK_GOST_R3410_94_OID, 0},
+ {"RSA (MD5)", SIG_RSA_MD5_OID, GNUTLS_PK_RSA},
{0, 0, 0}
};
I can see that you added PK_X509_RSA_OID since 2.10.0. Could this
perhaps be added too?
There is also anecdotical evidence that SIG_RSA_SHA1_OID needs the same
treatment. I haven't seen that, but getting both fixed at once could be
great.
I've added them to the 2.10.x branch. I've not added the SHA1_OID but if
you have some certificates using it, I'll add it. Clearly this OID
shouldn't have been there!
Thanks!
The anecdote of the need for SIG_RSA_SHA1_OID could be tracked down to
the comments on
http://sourceforge.net/tracker/index.php?func=detail&aid=1744033&group_id=24366&atid=381349
. But the BER encoded certificate on
https://developer.mozilla.org/en/Introduction_to_Public-Key_Cryptography#A_Typical_Certificate
(which despite the text _not_ is what is displayed) also uses
tbsCertificate.subjectPublicKeyInfo.algorithm=sha1WithRSAEncryption.
Please consider adding support for that too.
If you are going to make a release from gnutls_2_10_x then I hope you
will include "Correctly deinitialize crypto API handles." as well.
However, according to NEWS you have released 2.11.0 already - but it is
not on ftp://ftp.gnu.org/pub/gnu/gnutls/ ?
/Mads
_______________________________________________
Help-gnutls mailing list
[email protected]
http://lists.gnu.org/mailman/listinfo/help-gnutls
