Re: Working around wrong algorithm specification in certificates

help-gnutls

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Working around wrong algorithm specification in certificates

From:	Mads Kiilerich
Subject:	Re: Working around wrong algorithm specification in certificates
Date:	Sat, 24 Jul 2010 03:06:49 +0200
User-agent:	Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.4) Gecko/20100624 Fedora/3.1-1.fc13 Thunderbird/3.1

 Nikos Mavrogiannopoulos wrote, On 07/21/2010 09:23 AM:

Mads Kiilerich wrote:

You don't want to pollute your code with workarounds or flexibility for
stupid bugs like this?

I was thinking about your copy of gnutls :) If the fix works and the
problem is general the workaround might be included in the gnutls code
as well. I've seen quite some implementations putting wrong OIDs here
and there, and working around those practices is not that exceptional
any more.

This patch works for me and 2.10.0:

--- gnutls-2.10.0/lib/gnutls_algorithms.c.org   2010-07-20
22:57:35.000000000 +0200
+++ gnutls-2.10.0/lib/gnutls_algorithms.c       2010-07-20
22:57:07.000000000 +0200
@@ -2125,6 +2125,7 @@
    {"DSA", PK_DSA_OID, GNUTLS_PK_DSA},
    {"GOST R 34.10-2001", PK_GOST_R3410_2001_OID, 0},
    {"GOST R 34.10-94", PK_GOST_R3410_94_OID, 0},
+  {"RSA (MD5)", SIG_RSA_MD5_OID, GNUTLS_PK_RSA},
    {0, 0, 0}
  };

I can see that you added PK_X509_RSA_OID since 2.10.0. Could this
perhaps be added too?
There is also anecdotical evidence that SIG_RSA_SHA1_OID needs the same
treatment. I haven't seen that, but getting both fixed at once could be
great.

I've added them to the 2.10.x branch. I've not added the SHA1_OID but if
you have some certificates using it, I'll add it. Clearly this OID
shouldn't have been there!


Thanks!

The anecdote of the need for SIG_RSA_SHA1_OID could be tracked down tothe comments onhttp://sourceforge.net/tracker/index.php?func=detail&aid=1744033&group_id=24366&atid=381349. But the BER encoded certificate onhttps://developer.mozilla.org/en/Introduction_to_Public-Key_Cryptography#A_Typical_Certificate(which despite the text _not_ is what is displayed) also usestbsCertificate.subjectPublicKeyInfo.algorithm=sha1WithRSAEncryption.Please consider adding support for that too.

If you are going to make a release from gnutls_2_10_x then I hope youwill include "Correctly deinitialize crypto API handles." as well.

However, according to NEWS you have released 2.11.0 already - but it isnot on ftp://ftp.gnu.org/pub/gnu/gnutls/ ?


/Mads

[Prev in Thread]

Current Thread

[Next in Thread]

Working around wrong algorithm specification in certificates, Mads Kiilerich, 2010/07/19
- Re: Working around wrong algorithm specification in certificates, Nikos Mavrogiannopoulos, 2010/07/20
  - Re: Working around wrong algorithm specification in certificates, Mads Kiilerich, 2010/07/20
    - Re: Working around wrong algorithm specification in certificates, Nikos Mavrogiannopoulos, 2010/07/20
    - Re: Working around wrong algorithm specification in certificates, Mads Kiilerich, 2010/07/20
    - Re: Working around wrong algorithm specification in certificates, Nikos Mavrogiannopoulos, 2010/07/21
    - Re: Working around wrong algorithm specification in certificates, Mads Kiilerich <=
    - Re: Working around wrong algorithm specification in certificates, Nikos Mavrogiannopoulos, 2010/07/24

Prev by Date: Re: GnuTLS-2.10.0 instalation problem ("make check" tests failed)
Next by Date: Raw RSA encryption
Previous by thread: Re: Working around wrong algorithm specification in certificates
Next by thread: Re: Working around wrong algorithm specification in certificates
Index(es):
- Date
- Thread