[gnutls-devel] GnuTLS | Valid cert fails to verify due to different DN encodings (#553)
Development of GNU's TLS library
gnutls-devel at lists.gnutls.org
Sun Sep 16 07:57:20 CEST 2018
The X.509 DN comparison requirement comes from the time DNs were typed in typewriters. The RFC3280 requirements were to compare DNs ignoring case and space changes, something that does not happen ever in software. RFC5280 "modernized" that requirement and added stringprep because that was what was widely accepted at the time, though it didn't eliminate any absurdities from the comparison. In practice there are may a couple of certificates that have different but equivalent DNs, and they often create problems even when correctly handled (see [issue on openssl](https://bugzilla.redhat.com/show_bug.cgi?id=1548401), and I've seen another similar issue on NSS). Although since we are linking with libunistring we could tackle the issue more easy today by using precis than it was in 2001, I'm not sure the extend of the problem justifies any change. Indeed the protocol allows that option, but there is no reason to have differences to a DN, these certificates are very rare and their handling involve disproportionate complexity for their occurrence.
If there is anyone interested for such a change, we may want to tackle exactly this problem (tag difference), rather than string difference due to case changes. I think the only affected functions are `_gnutls_x509_compare_raw_dn`, `gnutls_pkcs11_get_raw_issuer_by_dn`. However I think it is simpler to tackle the problem at the generation and always generate certificates which have the same - byte-by-byte- DN on issuer and subject fields.
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/553#note_101657335
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnutls-devel