On Thu, May 22, 2014 at 11:42 AM, DEXTER <[email protected]> wrote: > Sure. In a proxy firewall environment, you have the server's certificate, > and you want to copy that cert exactly as is, but you want to remove some of > the extensions and show that to the client. > In case of OpenSSL you have an api for that: > int idx = X509_get_ext_by_NID( cert, nid, -1 ); //get the index > X509_EXTENSION *ext = X509_get_ext(cert, idx); //get the extension > if (ext != NULL){ //check that the extension was found > X509_delete_ext(cert, idx); //delete the extension > X509_EXTENSION_free(ext); //free the memory > } > > It would be great if GnuTLS had this functionality too. > Without this api, can you tell me what is the way to copy a certificate and > only remove some of the extensions from it?
As it is now you have to create a new certificate and copy everything you need there. In 3.3.x it is a bit simpler as you can simply copy the DER-encoded extensions, but there is no API to manipulate certificates, other than add elements. What you specify can be indeed useful to have, but I don't plan to work on it any time soon. I'd certainly consider adding that if you contribute the needed pieces. regards, Nikos _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
