Bug#403887: libgnutls failes to parse OpenSSL generated certificates
On 2007-04-18 Max Kellermann [EMAIL PROTECTED] wrote: reopen 403887 thanks On 2007/04/15 14:03, Debian Bug Tracking System [EMAIL PROTECTED] wrote: your patch is part of upstream's 1.6.1 release which has been uploaded to sid as 1.6.1-2. The files have been patched, but upstream has forgotten to regenrate lib/pkix_asn1_tab.c from pkix.asn, [...] I could fix that by manually deleting lib/pkix_asn1_tab.c before running dpkg-buildpackage. Thanks for keeping an eye on that. It seems to be fixed in upstream CVS nowadays (both in HEAD and gnutls_1_6_x branch). cu andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#403887: closed by Andreas Metzler [EMAIL PROTECTED] (Re: Bug#403887: libgnutls failes to parse OpenSSL generated certificates)
reopen 403887 thanks On 2007/04/15 14:03, Debian Bug Tracking System [EMAIL PROTECTED] wrote: your patch is part of upstream's 1.6.1 release which has been uploaded to sid as 1.6.1-2. The files have been patched, but upstream has forgotten to regenrate lib/pkix_asn1_tab.c from pkix.asn, i.e. the binary package still contains the bug, though the error message is different (because other files were patched, too): |1| Found OID: '0.9.2342.19200300.100.1.1' with value '16036d6178' get_dn: ASN1 parser: Element was not found. I could fix that by manually deleting lib/pkix_asn1_tab.c before running dpkg-buildpackage. Max -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#403887: libgnutls failes to parse OpenSSL generated certificates
Package: libgnutls13 Version: 1.4.4-3 libgnutls refuses to parse the subject of certificates created by OpenSSL which have a userid attribute in their subject, i.e. oid 0.9.2342.19200300.100.1.1. Output of certtool -i: |1| Found OID: '0.9.2342.19200300.100.1.1' with value '13066d6c61626962' get_dn: ASN1 parser: Error in TAG. gnutls generates certificates with an ia5String uid, while OpenSSL generates a printableString. The latter violates gnutls' lib/pkix.asn which states: -- LDAP stuff -- may not be correct [...] ldap-UID ::= IA5String Which is indeed not correct. ldap-UID should be a DirectoryString. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#403887: libgnutls failes to parse OpenSSL generated certificates
tag 403887 patch thanks On 2006/12/20 13:53, Max Kellermann [EMAIL PROTECTED] wrote: -- LDAP stuff -- may not be correct [...] ldap-UID ::= IA5String Which is indeed not correct. ldap-UID should be a DirectoryString. Here is a patch for this bug. I had to add IA5String to the DirectoryString CHOICE. This is obviously incorrect, but seems to be the only way to ensure that certificates generated by certtool can also be parsed. Please correct me if there is a better solution. Max diff -urN gnutls-1.4.4.orig/lib/pkix.asn gnutls-1.4.4/lib/pkix.asn --- gnutls-1.4.4.orig/lib/pkix.asn 2005-05-26 17:21:37.0 +0200 +++ gnutls-1.4.4/lib/pkix.asn 2006-12-20 15:07:32.932915000 +0100 @@ -114,7 +114,8 @@ printableString PrintableString (SIZE (1..MAX)), universalString UniversalString (SIZE (1..MAX)), utf8String UTF8String (SIZE (1..MAX)), - bmpString BMPString (SIZE(1..MAX)) } + bmpString BMPString (SIZE(1..MAX)), + ia5String IA5String (SIZE (1..MAX)) } id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 } @@ -1187,7 +1188,7 @@ id-at-ldap-UID AttributeType ::= { 0 9 2342 19200300 100 1 1 } -ldap-UID ::= IA5String +ldap-UID ::= DirectoryString -- rfc3039 diff -urN gnutls-1.4.4.orig/lib/x509/common.c gnutls-1.4.4/lib/x509/common.c --- gnutls-1.4.4.orig/lib/x509/common.c 2006-04-04 14:28:44.0 +0200 +++ gnutls-1.4.4/lib/x509/common.c 2006-12-20 15:08:03.838846500 +0100 @@ -74,7 +74,7 @@ {2.5.4.46, dnQualifier, 0, 1}, {0.9.2342.19200300.100.1.25, DC, 0, 1}, - {0.9.2342.19200300.100.1.1, UID, 0, 1}, + {0.9.2342.19200300.100.1.1, UID, 1, 1}, /* PKCS #9 */ @@ -254,6 +254,7 @@ * UTF-8 (thus ASCII as well). */ if (strcmp (str, printableString) != 0 + strcmp (str, ia5String) != 0 strcmp (str, utf8String) != 0) { non_printable = 1;
Bug#403887: libgnutls failes to parse OpenSSL generated certificates
On 2006/12/20 15:19, Max Kellermann [EMAIL PROTECTED] wrote: Here is a patch for this bug. Just a note: my patch does not work with the included minitasn library, you need libtasn. Max -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]