[Pkg-gnutls-maint] Bug#403072: exim4-daemon-light fails to use equifax SSL cert/key obtained from "1&1" hosting

Andreas Metzler ametzler at downhill.at.eu.org
Sun Dec 17 12:42:50 CET 2006


On 2006-12-15 Felix Palmen <fmp at palmen.homeip.net> wrote:
> * James Westby <jw+debian at jameswestby.net> [20061215 18:24]:
> > However I think there is still a bug. GnuTLS can create PKCS#8 keys
> > (certtool -p -8), so I think it should be able to read them. I just
> > generated one with the above command, and then certtool -k failed with a
> > base64 decoding error.

> At least, the source of the problem is not obvious to the user at all.

> > So this bug should be to add support for reading PKCS#8 keys, or at the
> > very least give a sensible error message.

> Agreed. After all, there is pkcs8-decoding code in the library, so
> it should not be to hard to make it recognize a key starting with
> -----BEGIN PRIVATE KEY----- and try pkcs8 on it.
[...]

Hello,
certtool can read pkcs8-encoded keys (if -8 is passed as option),
however the function used by exim and gnutls-serv cannot:

| gnutls_certificate_set_x509_key_file   -   Used   to   set  keys  in a
| gnutls_certificate_credentials_t structure
[...] 
| DESCRIPTION
| This function sets a certificate/private key pair  in  the
| gnutls_certificate_credentials_t structure. This function may be
| called more than once (in case multiple keys/certificates exist for
| the server).
| 
| Currently only PKCS-1 encoded RSA and DSA private keys are accepted
| by this function.

Some gnutls functions seem to handle PKCS-8 automatically (e.g.
parse_pkcs12) but most of them require the stuff to be in PKCS-1
format.
cu andreas
-- 
The 'Galactic Cleaning' policy undertaken by Emperor Zhark is a personal
vision of the emperor's, and its inclusion in this work does not constitute
tacit approval by the author or the publisher for any such projects,
howsoever undertaken.                                (c) Jasper Ffforde




More information about the Pkg-gnutls-maint mailing list