Bug#403887: libgnutls failes to parse OpenSSL generated certificates

2007-04-21 Thread Andreas Metzler 
On 2007-04-18 Max Kellermann [EMAIL PROTECTED] wrote:
 reopen 403887
 thanks

 On 2007/04/15 14:03, Debian Bug Tracking System [EMAIL PROTECTED] wrote:
  your patch is part of upstream's 1.6.1 release which has been uploaded
  to sid as 1.6.1-2.

 The files have been patched, but upstream has forgotten to regenrate
 lib/pkix_asn1_tab.c from pkix.asn,
[...]
 I could fix that by manually deleting lib/pkix_asn1_tab.c before
 running dpkg-buildpackage.

Thanks for keeping an eye on that. It seems to be fixed in upstream
CVS nowadays  (both in HEAD and gnutls_1_6_x branch).

cu andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#403887: closed by Andreas Metzler [EMAIL PROTECTED] (Re: Bug#403887: libgnutls failes to parse OpenSSL generated certificates)

2007-04-18 Thread Max Kellermann 
reopen 403887
thanks

On 2007/04/15 14:03, Debian Bug Tracking System [EMAIL PROTECTED] wrote:
 your patch is part of upstream's 1.6.1 release which has been uploaded
 to sid as 1.6.1-2.

The files have been patched, but upstream has forgotten to regenrate
lib/pkix_asn1_tab.c from pkix.asn, i.e. the binary package still
contains the bug, though the error message is different (because other
files were patched, too):

 |1| Found OID: '0.9.2342.19200300.100.1.1' with value '16036d6178'
 get_dn: ASN1 parser: Element was not found.

I could fix that by manually deleting lib/pkix_asn1_tab.c before
running dpkg-buildpackage.

Max



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#403887: libgnutls failes to parse OpenSSL generated certificates

2006-12-20 Thread Max Kellermann 
Package: libgnutls13
Version: 1.4.4-3

libgnutls refuses to parse the subject of certificates created by
OpenSSL which have a userid attribute in their subject, i.e. oid
0.9.2342.19200300.100.1.1.  Output of certtool -i:

|1| Found OID: '0.9.2342.19200300.100.1.1' with value
 '13066d6c61626962'
get_dn: ASN1 parser: Error in TAG.

gnutls generates certificates with an ia5String uid, while OpenSSL
generates a printableString.  The latter violates gnutls'
lib/pkix.asn which states:

 -- LDAP stuff
 -- may not be correct
 [...]
 ldap-UID ::= IA5String

Which is indeed not correct.  ldap-UID should be a DirectoryString.



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#403887: libgnutls failes to parse OpenSSL generated certificates

2006-12-20 Thread Max Kellermann 
tag 403887 patch
thanks

On 2006/12/20 13:53, Max Kellermann [EMAIL PROTECTED] wrote:
  -- LDAP stuff
  -- may not be correct
  [...]
  ldap-UID ::= IA5String
 
 Which is indeed not correct.  ldap-UID should be a DirectoryString.

Here is a patch for this bug.  I had to add IA5String to the
DirectoryString CHOICE.  This is obviously incorrect, but seems to be
the only way to ensure that certificates generated by certtool can
also be parsed.  Please correct me if there is a better solution.

Max

diff -urN gnutls-1.4.4.orig/lib/pkix.asn gnutls-1.4.4/lib/pkix.asn
--- gnutls-1.4.4.orig/lib/pkix.asn	2005-05-26 17:21:37.0 +0200
+++ gnutls-1.4.4/lib/pkix.asn	2006-12-20 15:07:32.932915000 +0100
@@ -114,7 +114,8 @@
   printableString   PrintableString (SIZE (1..MAX)),
   universalString   UniversalString (SIZE (1..MAX)),
   utf8String  UTF8String (SIZE (1..MAX)),
-  bmpString   BMPString (SIZE(1..MAX))   }
+  bmpString   BMPString (SIZE(1..MAX)),
+  ia5String IA5String (SIZE (1..MAX))   }
 
 id-ce-subjectAltName OBJECT IDENTIFIER ::=  { id-ce 17 }
 
@@ -1187,7 +1188,7 @@
 
 id-at-ldap-UID AttributeType ::= { 0 9 2342 19200300 100 1 1 }
 
-ldap-UID ::= IA5String
+ldap-UID ::= DirectoryString
 
 -- rfc3039
 
diff -urN gnutls-1.4.4.orig/lib/x509/common.c gnutls-1.4.4/lib/x509/common.c
--- gnutls-1.4.4.orig/lib/x509/common.c	2006-04-04 14:28:44.0 +0200
+++ gnutls-1.4.4/lib/x509/common.c	2006-12-20 15:08:03.838846500 +0100
@@ -74,7 +74,7 @@
   {2.5.4.46, dnQualifier, 0, 1},
 
   {0.9.2342.19200300.100.1.25, DC, 0, 1},
-  {0.9.2342.19200300.100.1.1, UID, 0, 1},
+  {0.9.2342.19200300.100.1.1, UID, 1, 1},
 
   /* PKCS #9
*/
@@ -254,6 +254,7 @@
* UTF-8 (thus ASCII as well).
*/
   if (strcmp (str, printableString) != 0 
+	  strcmp (str, ia5String) != 0 
 	  strcmp (str, utf8String) != 0)
 	{
 	  non_printable = 1;

Bug#403887: libgnutls failes to parse OpenSSL generated certificates

2006-12-20 Thread Max Kellermann 
On 2006/12/20 15:19, Max Kellermann [EMAIL PROTECTED] wrote:
 Here is a patch for this bug.

Just a note: my patch does not work with the included minitasn
library, you need libtasn.

Max



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]