|
From: | Mads Kiilerich |
Subject: | Re: Working around wrong algorithm specification in certificates |
Date: | Sat, 24 Jul 2010 03:06:49 +0200 |
User-agent: | Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.4) Gecko/20100624 Fedora/3.1-1.fc13 Thunderbird/3.1 |
Nikos Mavrogiannopoulos wrote, On 07/21/2010 09:23 AM:
Mads Kiilerich wrote:You don't want to pollute your code with workarounds or flexibility for stupid bugs like this?I was thinking about your copy of gnutls :) If the fix works and the problem is general the workaround might be included in the gnutls code as well. I've seen quite some implementations putting wrong OIDs here and there, and working around those practices is not that exceptional any more.This patch works for me and 2.10.0: --- gnutls-2.10.0/lib/gnutls_algorithms.c.org 2010-07-20 22:57:35.000000000 +0200 +++ gnutls-2.10.0/lib/gnutls_algorithms.c 2010-07-20 22:57:07.000000000 +0200 @@ -2125,6 +2125,7 @@ {"DSA", PK_DSA_OID, GNUTLS_PK_DSA}, {"GOST R 34.10-2001", PK_GOST_R3410_2001_OID, 0}, {"GOST R 34.10-94", PK_GOST_R3410_94_OID, 0}, + {"RSA (MD5)", SIG_RSA_MD5_OID, GNUTLS_PK_RSA}, {0, 0, 0} }; I can see that you added PK_X509_RSA_OID since 2.10.0. Could this perhaps be added too? There is also anecdotical evidence that SIG_RSA_SHA1_OID needs the same treatment. I haven't seen that, but getting both fixed at once could be great.I've added them to the 2.10.x branch. I've not added the SHA1_OID but if you have some certificates using it, I'll add it. Clearly this OID shouldn't have been there!
Thanks!The anecdote of the need for SIG_RSA_SHA1_OID could be tracked down to the comments on http://sourceforge.net/tracker/index.php?func=detail&aid=1744033&group_id=24366&atid=381349 . But the BER encoded certificate on https://developer.mozilla.org/en/Introduction_to_Public-Key_Cryptography#A_Typical_Certificate (which despite the text _not_ is what is displayed) also uses tbsCertificate.subjectPublicKeyInfo.algorithm=sha1WithRSAEncryption. Please consider adding support for that too.
If you are going to make a release from gnutls_2_10_x then I hope you will include "Correctly deinitialize crypto API handles." as well.
However, according to NEWS you have released 2.11.0 already - but it is not on ftp://ftp.gnu.org/pub/gnu/gnutls/ ?
/Mads
[Prev in Thread] | Current Thread | [Next in Thread] |