[gnutls-devel] GnuTLS | Should a certificate with two SAN instances be rejected? (#872)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Thu Dec 12 16:15:20 CET 2019



julia created an issue: https://gitlab.com/gnutls/gnutls/issues/872




I recently created a faked certificate, which happens to have an “empty”subject and two subject alternative name instances. The certificate is not rejected during path validation. 

I can understand that the public key relies on the subject name and the alternative name. The problem is, which subject alternative name needs to be bound to the public key? 

The version of Gnutls: 3.6.8.

 
The command I used is:  
certtool --verify --load-ca-certificate='rootCA_key_cert.pem' < 5009.pem

The extension part is:
                Basic Constraints (critical):
                        Certificate Authority (CA): TRUE
                Subject Alternative Name (critical):
                        DNSname: motherless.com
                Subject Alternative Name (critical):
                        DNSname: www.flipkart.com
                        DNSname: flipkart.com
                        DNSname: secure.flipkart.com


The verification returns:
Loaded CAs (1 available)
        Subject: (null)
        Issuer: CN=DDST CA,O=SJTU DDST,ST=SH,C=CN
        Checked against: CN=DDST CA,O=SJTU DDST,ST=SH,C=CN
        Signature algorithm: RSA-SHA256
        Output: Verified. The certificate is trusted. 

Chain verification output: Verified. The certificate is trusted. 


The rootCA_key_cert.pem (self-signed root CA):
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA1QUBgnureUishKtOaMYYaI+MXommBYHrdWk5RLhwlBTMRWUN
vb2UkN1dYU8SNQ91DsEM2Vs+eHWLkVvluK3ug2upsJdbG8GmFkScSMz4/oY6Mv59
8ib28uWA8F/ipu/DQhEHG2Nrccss9bBLOW7J0+Haj2UfZPZjQ1gxRwBO4Y4ZRKTw
xcxvEkk5AFsLr89B8kcqn385FrJqgFcnzWSfDNqK32xaoCu1gctpzNH4x76HEGGH
1N37v++HHa73EW6UrrDRsx4FkKOjG4iyXi8I7IUzHRyY6GRihJTLwrxBSDkPkS69
FfjYZqlb/dGszQG9MUGGLh2pyDMlSPzCu1knswIDAQABAoIBAEidADq+dWFOiKBg
1MWaYU+jPzIqsdFGzEClscPfK2EPBeLR47E+IpqPGvnEvmwf7MMuw3aER/M//md6
cABYKenalWmA7qmzhS4qDSwz0tzQXJ5taflVlvCNkzpdNSG6sVCgBVAsv792hsjp
Y3scbOgxIROoYN9FreiS85lEXZ889d+1ytTBSqWf6RpPWibQ+xBCHPW6UoMDJBlV
n+eC6eVTsmzG5QDUvY0FLLuxcyFLO1YUkFQ1jFmR7QuOrG6Bw67Am10QxzGDiiCc
eegqxlWEK6aUWATzN+CVkvWNJm43G+FOicpkbY5N9wlCONFDCD1QFP53EHG6BBle
Sii4M4ECgYEA7IPdz7+fYiWbZnRrOA0OpXUmVVUSDU4MT1zBTlEy/O8SQeWu3PNA
3OAD0Xpc4cypTOrTU+3pPuoK99amr3WkXv8WYimADqHTpYBv6qNp0xxp2Le2+sIe
wKCOCkw8Yt4u0Vas/m+N1Q9yIaIOMyzqlY+/oq7P8L73WAa0BhsKRnECgYEA5pGd
hpHizSG6oCVwn6G1RJrc7zyADZuSc7yR2PfIve/KHxM14m2wJcFr/hIIAtOui34R
aBoK9lNG5WNooR1kVaye245tpju91+FVzmoW3Poz0RUi5SLjiBYzizOq9LLECuLi
bOlzxL3lcHSATM14ipbS2zeo3AAs7f5fP4xXimMCgYAvhY9b3rS3k7bVry6b5IO8
2v0IyD8ITVZL2+c7RTVpfN++PdgUrQurVZduz5c6B1U9DzHG+1aSPZRWl9qGBq0w
KTDmKFCCoCFWb6gNDSiGMn9R/BfX6okjSx8/EnJPqzTc+v1nYiKtXJ0iBN21iqDX
zDpFBbriNHyeQzqIv4YhAQKBgHJeMIEbxCB0ZpoheCf2km+hUY3puKsHTDHUi5PP
9OciFmQrp0LVndZchzDTyN1+GspekkvM/zsIO9Z05OVmKurEYVgO4hze7WA0CdgF
j6m1AhboIRL/p1VNjeuyiU4vjkbIHABiHGauuyx43Vs7YFt+TMEobr4R6Dd1QdHH
z3R5AoGBAL9PGWeOu1ptVs+OHPPBUIqvrZIluWjFEP96wCPcCyEWqcvJ2lCN4z4K
b76PV1S5/dQmLsG98H7NnrH6sstcxh8ylddD10CEEi49C5rb9Ju4YVPeGtdCFNIb
niOb8hgCX3MV/+ypRTaC0bzeQNAPhD+r07zIDkqAtnL+SG+RCMa1
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDUzCCAjugAwIBAgIJAJl+82Li87lfMA0GCSqGSIb3DQEBCwUAMEAxCzAJBgNV
BAYTAkNOMQswCQYDVQQIDAJTSDESMBAGA1UECgwJU0pUVSBERFNUMRAwDgYDVQQD
DAdERFNUIENBMB4XDTE5MDczMDA2NTc1NVoXDTIyMDExNDA2NTc1NVowQDELMAkG
A1UEBhMCQ04xCzAJBgNVBAgMAlNIMRIwEAYDVQQKDAlTSlRVIEREU1QxEDAOBgNV
BAMMB0REU1QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVBQGC
e6t5SKyEq05oxhhoj4xeiaYFget1aTlEuHCUFMxFZQ29vZSQ3V1hTxI1D3UOwQzZ
Wz54dYuRW+W4re6Da6mwl1sbwaYWRJxIzPj+hjoy/n3yJvby5YDwX+Km78NCEQcb
Y2txyyz1sEs5bsnT4dqPZR9k9mNDWDFHAE7hjhlEpPDFzG8SSTkAWwuvz0HyRyqf
fzkWsmqAVyfNZJ8M2orfbFqgK7WBy2nM0fjHvocQYYfU3fu/74cdrvcRbpSusNGz
HgWQo6MbiLJeLwjshTMdHJjoZGKElMvCvEFIOQ+RLr0V+NhmqVv90azNAb0xQYYu
HanIMyVI/MK7WSezAgMBAAGjUDBOMB0GA1UdDgQWBBSkoyQbQziu3QnuUSBHdEnP
VAbUszAfBgNVHSMEGDAWgBSkoyQbQziu3QnuUSBHdEnPVAbUszAMBgNVHRMEBTAD
AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQADCzh/BOVeuBzYLukXD4WmADAbBLWccunP
0i0m1X8CePPT7OYuZV7ie150ViP55I74D0u9uaqzadXJ6Q8WPJVPv95/boAIJCoe
SHkh3hPAsHfqfjrAquwXsM9I1KpxsHSMUluMJbbty+OpRWRT8sBcdBwFqIxZuEvO
z8M0LDGd7EgQfaXJuWXJggXOtf0Da4l9kJjE6M68ns+rEShK+wenxuJeLEI9FwZA
gSt7PnmJVLz1eXLtZRTsbMuukFH6jDTQyMekxhODyskj5sch5IoiF2KrcQT09LPX
3JzTb6+14WI1YvQm+ve7mnQOWOhdsi9gJ00yfAHOuku7tEyWBN2m
-----END CERTIFICATE-----


5009.pem:
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6bDHBmJk6NBt2
gBP/xV4wJl1xusclcMLsW3id/6kmZJuW0kDdzqQUn50EeFxbIk1lEcWC1ia7dffs
ZcfAWEPXG63UgAaqUe0R9xYKjCGZG8yk/J4+nvuufxG3Kw9B9r4rd4v9x3X3Wy8/
oWdWeZGuWlNPTa4KTjC19PpC5WqhQhNeiAzqRSQ3ICrnhxuNZv9J4U2GECldnwqE
MxSWOwwLny2VSK6yFOobG0uuf+IfL6+OP4Xj2wqGJwdlDUeoc7z1QiFPpap3UMUm
J9WSPyvsDcnWAnyvriMCJEblES+anCmmzaOoGE4x5syGXlgCEk0cOQJx4QULVDsE
8PQwUmHTAgMBAAECggEABAcibBRn+yH1FfJefEA/cLrjefmXI+/zxjeTu5YyiWnT
EscoL6KvWOK5+ca/+Bgdo/lmUxVdcN9zo9/vGPDPRm6KqvS5MCTlAmZcS44Li8tV
+JqcsK2usm58a4C6q6oxIa9LjwgoPFf0BWPvX6bwxtucwTHkeMSHuOa6IYfjbeh+
GnB8qMtbYwC7zadb3yJNlbt3w/NUHXkpTzj+u/F+7NKWnBP6FRNHpDNo2xQoBFw1
3xtfey0kf9N2TBj18CKEHRv3FcCQx181SCg65DHlvrU7m7Cm7VKxzS5Kqm2RolFY
L6HCf5lzF7Dm0BETrk6vkLKCz4nqIP5+rGhaSx1vQQKBgQDsXgMKY2xLIP3LWwvB
rzdKdtlLW7xTDDmrEp2CwalLhnV/hkbmJAfoVcC3+1pengSTFlWdI62JvB4BOwg/
sRf1Cmk2vC9KIBFtbPDode8/OMMUFraEtEDnzqgynotRpg25Hat1+60axepElR/1
DFX9j3Sb7VPV+J/mzdDtFlY3DQKBgQDJ6C/W57+BKDENZk49Nr4KJrpb8VyA1vNV
P/4TG2XX9yYqrxTrE5cAayFBiEwBPd9/qk9oSjB0Uf89NEcxtjERv3F4AXJNjMOQ
Prn9qqIDu25zDKDUMKXL2z3qM62hOuNR/Hzpc0xXX7GXrUlHl0vhvZElD/2yKbue
5k6LiWbEXwKBgQDQK7Az2wKKXGEJU4NULrPccjXIB+AhqDe18iwk99jZOm+LQ8B3
ei44siWMI+QgRr0yqc33GnABSVuHq+0E4zx9RJELcsuXVgzjObomkY+HN7+flq1i
zLoJLlm2UynSXBPkADx9KY34cWx0wH2nvRiSu2Bw36EhZtm1VXj3BeAilQKBgQCa
VhG7hIquf7p/M6S6xg2eVNw/S9AZ7DU1BSWCFX9UBmf2WL70spTKjRlurnDqwhEF
1Xm9jnhbchJZBo0lQs9fcaeaxABLpz4WFNy3Oqd9kthquUx25njVy1EYpUgj5o+9
K/OPv8KrR0rJVnydbNlkRTOd0QtsFNqGLCX+I5maoQKBgEWpJPLIwIQZlCbe4E2+
mMUpj3UlMbx1rO9t5unsh8hQSiAd54uI4y0tNanQoNnzVoHQgdVLxTbS78iXSdTS
RPZL51HeYehXDwaeQ9LL9JuoyCRri0IAjC+XLntYpf02RH/IvJcVhc92+xkTeWFJ
l1t0lQs0V36HcC8i+g2AsMWj
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDMzCCAhugAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMQswCQYDVQQGEwJDTjEL
MAkGA1UECAwCU0gxEjAQBgNVBAoMCVNKVFUgRERTVDEQMA4GA1UEAwwHRERTVCBD
QTAiGA8xOTk2MDgwMTAwMDAwMFoYDzIwMjAxMjMxMjM1OTU5WjAAMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAumwxwZiZOjQbdoAT/8VeMCZdcbrHJXDC
7Ft4nf+pJmSbltJA3c6kFJ+dBHhcWyJNZRHFgtYmu3X37GXHwFhD1xut1IAGqlHt
EfcWCowhmRvMpPyePp77rn8RtysPQfa+K3eL/cd191svP6FnVnmRrlpTT02uCk4w
tfT6QuVqoUITXogM6kUkNyAq54cbjWb/SeFNhhApXZ8KhDMUljsMC58tlUiushTq
GxtLrn/iHy+vjj+F49sKhicHZQ1HqHO89UIhT6Wqd1DFJifVkj8r7A3J1gJ8r64j
AiRG5REvmpwpps2jqBhOMebMhl5YAhJNHDkCceEFC1Q7BPD0MFJh0wIDAQABo3Qw
cjAPBgNVHRMBAf8EBTADAQH/MBwGA1UdEQEB/wQSMBCCDm1vdGhlcmxlc3MuY29t
MEEGA1UdEQEB/wQ3MDWCEHd3dy5mbGlwa2FydC5jb22CDGZsaXBrYXJ0LmNvbYIT
c2VjdXJlLmZsaXBrYXJ0LmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAcBlUfXcKN+qz
HV3uMVkqBYlCoM4Mrp83rFWgGbzggcu1Q9RLRHe+N5N4QQZUTUOaP/ZtbrGBjJfE
GoFJaJ0KBfjyaSotSj9W4tVQGtVt9c3kGWVSi8AQ5peaLQn3jmOQXrvHP2/behkm
40Ino7R5wbpGQ8V+2EhQufaBf9nfgCveBHvfY+QWSCrmKdZEKbQjCcAXMcRWRzCS
H8Y8eKKuna7cgndXudcQY7JQYhzB7Rf2F1k15JeSShhe4CbfpP+rjAVaewnJogS2
R8Y2tYnD/VVXR9p74S/M/MEXRMQb56gQsfw1V709M42/WDqHyU0z59P/nASQMQD/
zTFdEaCLtQ==
-----END CERTIFICATE-----



[rootCA_key_cert.pem](/uploads/ea3d5695fb35f7d2fed38916b8563992/rootCA_key_cert.pem)
[5009.pem](/uploads/3cb189d2c81df6123378d6ea080200ad/5009.pem)

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/872
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20191212/f24d7e41/attachment-0001.html>


More information about the Gnutls-devel mailing list