[gnutls-devel] GnuTLS | Gnutls accepts a certificate with invalid Subject Public Key Info (#873)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Sat Dec 14 16:08:46 CET 2019

Nikos Mavrogiannopoulos commented:

The error will be detected when the public key is to be used. For example if you try to print that certificate you'll get:
error importing public key: ASN1 parser: Error in TAG.

Similarly if you try to use it in a TLS handshake the handshake will fail when it tries to use it.

So accepted is not really the case. The fact that other implementations reject it earlier may have more to do with the internal parsers of X.509 rather than an intentional action. Is there some particular attack or potential flaw that you are trying to address from? 

Nevertheless, if there is a particular attack or threat we can defend from would you like to suggest an MR? We could check whether there is an error when reading the public key algorithm (that will check the pubkey form too), at `_gnutls_check_cert_sanity`.

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/873#note_260370109
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20191214/6e2aea8a/attachment.html>

More information about the Gnutls-devel mailing list