Bug#686690: gnutls-bin: certtool generates buggy certificates

Clint Adams clint at debian.org
Tue Sep 4 19:08:23 UTC 2012


Package: gnutls-bin
Version: 2.8.6-1+squeeze2

The certtool in squeeze, when given the template

--8<-- snip --8<--
cn = Test Squeeze Certificate Authority
ca
cert_signing_key
expiration_days = 3653
--8<-- snip --8<--

and told to generate a self-signed cert, produces
the attached file "squeeze.pem".

According to RFC 2459, the TBSCertificate signature
and the SubjectPublicKeyInfo elements should be
identical AlgorithmIdentifiers, which should be
SEQUENCE { algOID, params }.

Section 7.2.1 states that for RSA signature algorithms,
params should be the ASN.1 type NULL.  This is
not the case in squeeze.pem, though it is in
wheezy.pem, which has been generated by the certtool
in gnutls-bin 3.0.20-3.
-------------- next part --------------
-----BEGIN CERTIFICATE-----
MIIDFTCCAf+gAwIBAgIEUEZOdzALBgkqhkiG9w0BAQUwLTErMCkGA1UEAxMiVGVz
dCBTcXVlZXplIENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMjA5MDQxODU0NDda
Fw0yMjA5MDUxODU0NDdaMC0xKzApBgNVBAMTIlRlc3QgU3F1ZWV6ZSBDZXJ0aWZp
Y2F0ZSBBdXRob3JpdHkwggEgMAsGCSqGSIb3DQEBAQOCAQ8AMIIBCgKCAQEA5oFa
zy9e7AME4pYwCtQr3ALAHlj0dnQIVZ37Mf/nTxiN9KSXVHngPdZYOLu7IcQl/Y9U
l6DUl2zo/iXODMD3cts3hUSx4kFEJ+7n2GBlz4fEPlkz+NYRRgy3JpDBzGwTO8vG
gwyzCYD+cTT5z2V6Uno+ion+afDefAmaQiJW0ONL6UnvsP+oQ9KM6wZ1cQ5HmM6a
jC1UVeO33WYAsYSUUSEA4zHSpMiFfrcQLg4TLuT4zqGm6m11047X7405NnbDV8Zd
WEMUb19k4YZKnCaVuKMpV4dkNNW3HMAQVfvg6xUg9n/yWVcVKfjM5ceRaEnHnUAF
/PwGzOb6Hsjnst1nEQIDAQABo0MwQTAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB
/wQFAwMHBAAwHQYDVR0OBBYEFO/aVkH+KRrO32O5VqArxzg6b2Y7MAsGCSqGSIb3
DQEBBQOCAQEAUiUNld0yO9NPPJ2m4oieut+nJh/OM2X6vaKMe0Q+xxzzGPgrw7tJ
47PZA/PwwXLSnkCdSyZuM71EuPoInZarAiPiedGQefqbmaLMIdiOgyhYxctC8Ep1
wrwA8db8/jyyjjTb5PJy0xuOldV8zTjpNofXMe7Pld0DtnhPWaUkSlSoJ2rK7/Hq
tA3dvGApyBP5r7r4fi+fvtknE4F/NeowqEcEMmP/iyLh9RGr5jn3PpuEoNx2rEzx
qGL5nyKQPr/E7dghzgQQ8D5O3ZdJ8WSL8VGi4FMqckLPBPjdy2j1tj2+QDD2u4G3
5V9pQsH/x54hH5DDplnfyjUiekTFEvYI3g==
-----END CERTIFICATE-----
-------------- next part --------------
-----BEGIN CERTIFICATE-----
MIIDHzCCAgegAwIBAgIEUEZOrzANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJU
ZXN0IFNxdWVlemUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MCIYDzIwMTIwOTA0MTg1
NTQzWhgPMjAyMjA5MDUxODU1NDNaMC0xKzApBgNVBAMTIlRlc3QgU3F1ZWV6ZSBD
ZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDmgVrPL17sAwTiljAK1CvcAsAeWPR2dAhVnfsx/+dPGI30pJdUeeA91lg4
u7shxCX9j1SXoNSXbOj+Jc4MwPdy2zeFRLHiQUQn7ufYYGXPh8Q+WTP41hFGDLcm
kMHMbBM7y8aDDLMJgP5xNPnPZXpSej6Kif5p8N58CZpCIlbQ40vpSe+w/6hD0ozr
BnVxDkeYzpqMLVRV47fdZgCxhJRRIQDjMdKkyIV+txAuDhMu5PjOoabqbXXTjtfv
jTk2dsNXxl1YQxRvX2ThhkqcJpW4oylXh2Q01bccwBBV++DrFSD2f/JZVxUp+Mzl
x5FoScedQAX8/AbM5voeyOey3WcRAgMBAAGjQzBBMA8GA1UdEwEB/wQFMAMBAf8w
DwYDVR0PAQH/BAUDAwcEADAdBgNVHQ4EFgQU3knPaK8svzV6fUfgzOt7mzo5ejcw
DQYJKoZIhvcNAQELBQADggEBADCnOUvoNGpF6+CBeCLkpZNQmWZOimglTo6UHQr8
sSEba7BcukJlDq0f0fWssZHkYy5CFjo2Z0wVLMTvCF1EEI3xY9kXZW/Z/Kww/2Zx
INzBGH+X9afFgF69r51Zh3NqiJuRyNzqNqSZjYP3DwNNvJHokqAvOo94osrWW4CG
iFpOue386OYIZjDQTBlFpqlDNbgNE14daOqJDzLz3I4hKZfCSS9S1A1/kwkxqxlr
XU1nXCAOrUZku4rgCd0wvJuNNIlu9/u3Fd5tWwHKlhaqA102YHTR1wNeBJwnOIs0
sFVk0NF98uUMHm1LfDg+o0FgG4y3sVMPGFhEzUeGLV/vx3Q=
-----END CERTIFICATE-----


More information about the Pkg-gnutls-maint mailing list