[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gnutls-dev
Subject:    Re: [gnutls-devel] Restrictions on tag types
From:       Kurt Roeckx <kurt () roeckx ! be>
Date:       2014-06-01 17:59:43
Message-ID: 20140601175943.GA3434 () roeckx ! be
[Download RAW message or body]

On Sun, Jun 01, 2014 at 07:48:28PM +0200, Nikos Mavrogiannopoulos wrote:
> On Sun, 2014-06-01 at 12:44 +0200, Kurt Roeckx wrote:
> > Hi,
> > 
> > In lib/x509/common.c there is this:
> > [...]
> >         ENTRY("2.5.4.6", "C", NULL, ASN1_ETYPE_PRINTABLE_STRING),
> >         ENTRY("2.5.4.9", "street", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID),
> >         ENTRY("2.5.4.12", "title", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID),
> >         ENTRY("2.5.4.10", "O", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID),
> > [...]
> > I'm seeing certificates that encode the "C" with an UTF8String and
> > not a PrintableString, which then result in getting an error that
> > it has invalid DER.
> 
> It is invalid encoding as RFC5280 specifies:
> X520countryName ::=     PrintableString

I guess I have missed that.  Thanks.  I guess this is
something I'll add to my list of tests at some point.

> How common are these certificates? Are they so widespread we would need
> to add support for them?

So for I only know about 1 such issuer.  And it's in the DN of the
issuer itself so they would need to create a new CA.


Kurt


_______________________________________________
Gnutls-devel mailing list
Gnutls-devel@lists.gnutls.org
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
[prev in list] [next in list] [prev in thread] [next in thread]