Sure. In a proxy firewall environment, you have the server's certificate,
and you want to copy that cert exactly as is, but you want to remove some
of the extensions and show that to the client.
In case of OpenSSL you have an api for that:
int idx = X509_get_ext_by_NID( cert, nid, -1 ); //get the index
X509_EXTENSION *ext = X509_get_ext(cert, idx); //get the extensionif
(ext != NULL){ //check that the extension was found
X509_delete_ext(cert, idx); //delete the extension
X509_EXTENSION_free(ext); //free the memory}
It would be great if GnuTLS had this functionality too.
Without this api, can you tell me what is the way to copy a certificate and
only remove some of the extensions from it?
Thanks.
On Thu, May 22, 2014 at 9:03 AM, Nikos Mavrogiannopoulos <[email protected]>wrote:
> On Wed, May 21, 2014 at 4:28 PM, DEXTER <[email protected]> wrote:
> > Hi,
> >
> > Is there a way to delete an extension from an x509 certificate?
> > I found no API to do that, only get/set apis.
> > Also found a very old patch here:
> > http://marc.info/?l=gnupg-commit-watchers&m=108192753710809
> > removing the ability to delete an extension.
>
> It was never part of the API, as it is designed around the generate
> and read use-cases. Could you describe your use case for that
> functionality?
>
> regards,
> Nikos
>
_______________________________________________
Gnutls-help mailing list
[email protected]
http://lists.gnupg.org/mailman/listinfo/gnutls-help
