A bug report has been created. https://gitlab.com/gnutls/gnutls/-/issues/1078
testcase c++ file provided. gnutls patch provided. testcases with unpatch gnutls fails. With gnutls patch testcases that are expected to work do work. Patch may mask the problem rather than fix it. Details in the bug report. Email here is just to close the thread and move any further discussion to the bug report. Curtis In message <[email protected]> Curtis Villamizar writes: In message <[email protected]> Daiki Ueno writes: > > Curtis Villamizar <[email protected]> writes: > > > That is OK if using RSA. Doesn't help with EC CA certs. > > Yes, because the gnutls_x509_spki_t structure was introduced to cover > the use-case of RSA-PSS. The question is why you determine that it's > the cause of the failure you are facing; if you are dealing with EC > certs, that structure shouldn't be used at all. That's why I'm asking > for a reproducer. Right. I thought what I found in the core dump was a hint as to why I was trying to initialize an spki struct. I'm working with code that worked with prior releases of gnutls (a year ago?) but with the current version (3.6.14) gnutls_x509_crt_sign2 produces a GNUTLS_E_ASN1_ELEMENT_NOT_FOUND apparently in _gnutls_x509_pkix_sign when it tries _gnutls_privkey_get_spki_params . This is from taking a core file and then putting debug statements in the gnutls code. If it should not be asking for a spki struct then that is a possible hint (for me to look at my code). I couldn't read the spki from the key since gnutls_x509_*_get_spki produced GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE looking for spki parameters applicable only to RSA-PSS. I've tried a bunch of things using my older working key and cert files and certtool and got various errors from certtool but nothing that sheds much light on this so I'll have to produce cooked down source code to reproduce the errors. > Aren't you able to achieve the same task with certtool either? I use my own software to generate keys and certs from configuration files. I had many years ago used a perl program that did execs to openssl and looked at the gnutls command line tools as well. This was very cumbersome. Too much info would need to go into perl program generated config files to run either openssl or gnutls command line tools and there were some things that were a pain to do (such as check to see if params in the keys and certs in use matched the latest configs which required parsing the ascii output). > See also: > https://www.chiark.greenend.org.uk/~sgtatham/bugs.html#symptoms > :-) Thanks for the useful pointer. > Regards, Thanks for looking at this. I didn't want to leave the conversation hanging but can't get to this right away. After getting cooked down c code to simplify reproducing this I'll get back to you. > > Curtis > > > > > > In message <[email protected]> > > Daiki Ueno writes: > >> > >> Hello Curtis, > >> > >> Curtis Villamizar <[email protected]> writes: > >> > >> There are quite a lot here and I can't tell what is the root cause until > >> I see the code. Would it be possible to provide a standalone > >> reproducer? > >> > >> > So there are two issues here: > >> > > >> > 1. No way to fill in a spki struct. I may be missing something. > >> > >> This one is easy to answer: you can use gnutls_x509_spki_init, > >> gnutls_x509_spki_set_rsa_pss_params, and gnutls_x509_spki_deinit. > >> > >> Regards, > >> -- > >> Daiki Ueno > > > > !DSPAM:5f46975d31589564056514466! _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
