[gnutls-devel] GnuTLS | gnutls accepts certificates including two instance of a particular extension (#887)
Development of GNU's TLS library
gnutls-devel at lists.gnutls.org
Mon Dec 23 13:33:03 CET 2019
llqll created an issue: https://gitlab.com/gnutls/gnutls/issues/887
I recently created a certificate chain [rootCA,intermediate certificate,leaf certificate], which leaf certificate containing two Subject Key Identifier fields. Clearly, leaf certificate violate Section 4.2, RFC5280: “A certificate MUST NOT include more than one instance of a particular extension. ”. Meanwhile, the chain can still pass certificate verification with gnutls3.6.11.
The command I used is:
```
certtool --verify --load-ca-certificate 1.pem --infile leaf.pem
```
The verification returns:
```
Chain verification output: Verified. The certificate is trusted.
```
1.pem (it contains two certificates inside):
```
-----BEGIN CERTIFICATE-----
MIIGBjCCA+6gAwIBAgIQY8Mi35RmHbQSpWR8XD7V9DANBgkqhkiG9w0BAQsFADBt
MQswCQYDVQQGEwJDTjEMMAoGA1UECAwDVEo1MQwwCgYDVQQKDANUSlUxFDASBgNV
BAsMC2JlaXlhbmd5dWFuMQswCQYDVQQDDAJDUzEfMB0GCSqGSIb3DQEJARYQbGpm
cG93ZXJAMTYzLmNvbTAeFw0xOTA1MjkxMTUwMzBaFw0zOTA1MjQxMTUwMzBaMG0x
CzAJBgNVBAYTAkNOMQwwCgYDVQQIDANUSjUxDDAKBgNVBAoMA1RKVTEUMBIGA1UE
CwwLYmVpeWFuZ3l1YW4xCzAJBgNVBAMMAkNTMR8wHQYJKoZIhvcNAQkBFhBsamZw
b3dlckAxNjMuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA7nKX
zAyRuE6cWnJCT9h1QsQu8Ee+Kk0DtZM7wBQK+bSqpg5m0N1qnfrPStvsvBkXsYlZ
nUCf1Pg9Oz/BGSHVmwFAJCC16uSdq9n/ifB8YK3CdVpSsnjsccQW5Ti+ga/4O/wg
euauD23asZaedDoa1LkdI2DYAT/P/wFnC/wQGhnAObeIgvgAbYiF151ymBLzkvSw
ZobKzWqyIRrxwntetxRWQx3ZJrnx5plrKrui8A5BaETiu14vi38NJ8A42rWC0q0d
qDoXSrZtSXzfzIm2SAiBbBwQxePAcGbJegrGH43Oe+hoIky7P5zoRt6ZZsxFbbCG
7OPyVS0rmlojFjJJ5L95DBhvGqfn8jOPsq/23BvwAg+1yUmeWFZfqHPYFXco876I
XkMX+tW7Zyl4lVSb9zeavPmwUo/rnksZdGELb4Io8caUakJ5liy+oE0UvX7vAc5+
uUGRbk2uCOqOJUcKHa4wu3V3Iy8phSRvA+FzlkZs2CpBSlIs9lBevBv5vWA3GfxO
VDEOwE/yQZYOBXF82p1y/K744+wc/lyodkVS98+RAWnoP6awPpyN0EuzbZHF7A40
wiGEJAYpm8IzNDyT/0tNaFiOv4/WyGfxuULXItkzvMXxoCZZ1PuoNxdANA1UygRb
WDkZxtg54aI7v5TZbnNgtglqTgvRxzzuENlrJmcCAwEAAaOBoTCBnjAdBgNVHQ4E
FgQUI6MIq57hXlN/cyhNYKHXior5n0IwHwYDVR0jBBgwFoAUI6MIq57hXlN/cyhN
YKHXior5n0IwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwOwYDVR0R
BDQwMoIHYWJjLmNvbYIJKi5hYmMuY29tggd4eXouY29tgg13d3cuYmFpZHUuY29t
hwR/AAABMA0GCSqGSIb3DQEBCwUAA4ICAQAkfysmRAf0RNZ3bre37+Yz2xufFAtd
xpOOP2d85sO1HVY82acVuzEcLUQtfdnxyFe1Zk9wqqlSXI0Md5gD9Wc1J5BMZULC
Bwma/iFb53ijNQuEz81Fzea0KIggdnQpajDbd1mZDH/dRqTRvXhFDazZy1LGSMne
BwTlH9GGVYoc2s6YbPDL8GyARhdR5ad4h3+/WisIT6ZdlK1H+vSy/KfDRh514Ibo
zE0rI7ArHjQwh3i6NM14ImSUf6SjkMvHlzvCyJtQ5yDygt7OQWmX4u1eLQ4n4xom
BI/oPSA0/ioDoICIvl4KzGiGtFu2LqRu6YPqxe1D1bmbX3Yrskyzcy/uT4t4DuZn
ps8yR9ihpliSGWu2euf9GwUa58fJCExUrzksyzDGaqTxKvi7ThOlB30Lq712CTUw
e9JwGZ/BE7S++4lVC0J2GKuoHZR/moXQCaWrASkWEttWxYSWCd+RZaruox9JnRDS
jmcRFHt+Oogr1oH1W7UVeiGs5BuRqDgo5KOAm9ZvlxQ8L1rsx2UewLFGEH4LLUin
6D/b5PW3GS+A51qsd+/Y/08TXL4TdlIOa54CF7rMl9UH05Z9ooEY6i2KtmBw5Gwt
8XyUiz5L49tT4IlR2MDDXx0aJXB3roQGnHP/IgqcQbWZyM9ZvfQbx1Mnyohnbj2J
FBtJbqU4k1PhAg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGCzCCA/OgAwIBAgIQY8Mi35RmHbQSpWR8XD7V9TANBgkqhkiG9w0BAQsFADBt
MQswCQYDVQQGEwJDTjEMMAoGA1UECAwDVEo1MQwwCgYDVQQKDANUSlUxFDASBgNV
BAsMC2JlaXlhbmd5dWFuMQswCQYDVQQDDAJDUzEfMB0GCSqGSIb3DQEJARYQbGpm
cG93ZXJAMTYzLmNvbTAeFw0xOTA1MjkxMTUzMDdaFw0yOTA1MjYxMTUzMDdaMG8x
CzAJBgNVBAYTAkNOMQwwCgYDVQQIDANUSjUxDDAKBgNVBAoMA1RKVTEUMBIGA1UE
CwwLYmVpeWFuZ3l1YW4xDTALBgNVBAMMBGIzMjYxHzAdBgkqhkiG9w0BCQEWEGxq
ZnBvd2VyQDE2My5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDH
dTYsTjtslYOmt04a7neg5paT2TEqVCt+bp1C0OSRy/UrvEkiKdAHu2UKSoOYEbxE
rib4JFL+7Cm3YGwHbXuEkP8sWwekVkt/BuBbMLq0577NMiU6rBrGP78DYrxxVmwo
ndIFHVwwe9MjMIglPtgwtxiqHrYGraiG2b7KxLl0vp/iHF0LwuwhGJ4qTImDpHOF
Df3TkunOzqcW6UjlzR8ciEaIQJrsJt4MStw983Ui9kYwSdzdOJM2giZ2m7fsh5M2
lQv02cEJJRVdE5atftFLF0tQj4wIltXI/Q3t+KgSsj3spveXzBUN0l9zJbl0gPKt
Dy411ZaZBRwwZaq/oJaUkowEhUJ6XrQk/JqvVKTt4j2XiI5vbDsJUGF3JiuMPYod
wVUJDnvSsm1AG+Be8CxhDDSvTJPz29XW6YNdEGyg51KTtZ7ujrpPisdeuZT0r5t2
gSMz9t0i2ooccKzERcZpRoLt4GikWzcU10LxpnJhse/IR6jsaYohK+BI5RCkAIrK
J7x64YX9dRD5sIf9TvY4SXdimGZkVBERan/MAgZvo1BhSoSo1oTRYKD6nNpA90Hg
4HLddGEtkQNPEzPUjMidMyVUOVpzVpXoOIW8ASgm1EPAeAw/VZ/HEm6P1y93mlOU
N4RXjLPfyJzxvTC/HM4xaYlZzKt/dUUKW2v5J3a3mQIDAQABo4GkMIGhMB0GA1Ud
DgQWBBTtLYj/I3LedKqEcgWmczrb9dYceDAfBgNVHSMEGDAWgBQjowirnuFeU39z
KE1godeKivmfQjASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjA7
BgNVHREENDAyggdhYmMuY29tggkqLmFiYy5jb22CB3h5ei5jb22CDXd3dy5iYWlk
dS5jb22HBH8AAAEwDQYJKoZIhvcNAQELBQADggIBADv9HtThzbHoHmo57sEL09TY
ISKbdzsghNkZYK3QwlLxAak/Zp4JRQcqwm0XM2xPOQOw1K04qYGmwBqIH9ANqUvb
rU/78uL6GfIUSqQ6sHdlxj9tQFmEtopWofvtRcMwawgSL9XQOyQU8A0kYm0HI4k0
9JHA1Xc3mxE/MGn6LBdbVsNW1jqUKhfQ+F0UWKueG3nV3TA2DwdahGm20Gk0M3SA
nU+vc5a6aj2d7EjJvR+0xVK1Jy+khpJhDxng1Mxiavvgi7k5HVJDLgo4ALHFdfNP
Pt267ufdcajgrWchbgxWUdu3hzwGsvxJu79dpR3pz42n3fHWokoS6ONmyxlJtAiO
FYfgJ4J1Hu51GEkNb498Y8TBRPkuMCGY5QbIEiiCBRB8I6OtSHw+mWBHZVEiBvBr
IUjSVvn1+KrxrxJ8Bn6sn+Rj+MEyIneSEtLJ3gkn4P7UZHtdMpIEojlIf2v5UbR9
xDPkbayWJiYloETDpafuaeK46x9UvPFt957cbqKEChrkReaEnJzxOQMUwBR3uHyy
GFjM1EwOzN6SdBQ1sTDea4+TEcdHSzOC4pfaR1jKKCdInI7/Adiqs7YqM48nx504
JsLsy76DnUI0GFlWz8n0Ybz6qFWq6ckz9JLQ1N7TQJjSfZxDEEGwE6+wpjVyzCpB
CfPgBs5qw8HWtxrvsirH
-----END CERTIFICATE-----
```
leaf.pem:
```
-----BEGIN CERTIFICATE-----
MIIFiDCCA3CgAwIBAgIRAPABuQ6DmexEq0k9QQaewLcwDQYJKoZIhvcNAQELBQAw
bzELMAkGA1UEBhMCQ04xDDAKBgNVBAgMA1RKNTEMMAoGA1UECgwDVEpVMRQwEgYD
VQQLDAtiZWl5YW5neXVhbjENMAsGA1UEAwwEYjMyNjEfMB0GCSqGSIb3DQEJARYQ
bGpmcG93ZXJAMTYzLmNvbTAeFw0xOTA1MjkxMTU2NDBaFw0yOTA0MDYxMTU2NDBa
MHsxCzAJBgNVBAYTAkNOMQwwCgYDVQQIDANUSjUxCzAJBgNVBAcMAlRKMQwwCgYD
VQQKDANUSlUxFDASBgNVBAsMC2JlaXlhbmd5dWFuMQwwCgYDVQQDDANMUUwxHzAd
BgkqhkiG9w0BCQEWEGxqZnBvd2VyQDE2My5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDNKbU4xRcAGOyzHWgEQw0/smt+BJaLtbIvKdPKPTDzDxSl
Rud0rf1GWzG5vKhEzn3ruNwFs23JTu4OcXlkqp4sGqC5SQ06qVhe+eWhK+pjsCll
AG9ZQ40kNdsE5Bt9gbl38tdykM/a5bU4+h8S9P5XP+Vr/xGuB1aqw07NqaUsOs3+
McH/ZFZQgSv8NDXl9eok5XEfaDZoRf29nAH/I+Ottbw37oW7omvMaC39CVKKmYMA
rdRJR/JrICsOKKnmEf6oLNErBGs3TLXo9/CiQJz/KeV9mHT/BfPumAbSlIXo6en8
AVyA0V+N1bwUiBu58m9B+z0GlaxeQlxSvTn2wUx5AgMBAAGjggERMIIBDTAJBgNV
HRMEAjAAMB0GA1UdDgQWBBR/7mRMJ+8WoDdxiWO1eCLw0xH+0DAdBgNVHQ4EFgQU
f+5kTCfvFqA3cYljtXgi8NMR/tAwHwYDVR0jBBgwFoAU7S2I/yNy3nSqhHIFpnM6
2/XWHHgwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDBDAYBgNVHREEETAPgQ1oaEBiYi5hZGRyZXNzMBgGA1UdEgQRMA+CDWFiY2V3
d3J3dC5jb20wMAYIKwYBBQUHAQEEJDAiMCAGCCsGAQUFBzAChhRodHRwOi8vbXku
Y2EvY2EuaHRtbDAMBgNVHSQEBTADgAEDMA0GCSqGSIb3DQEBCwUAA4ICAQCopPaM
SMElD42TZYn1+SnACRnH4YWH/gfG3utPeGVPkBmvV5Je7/gNMlhAQJL5YKdDYa4o
S1zjkNrRSlamH6akX4KyOm19tKRkU7dvtcTRF5CwXGcE2Yte6hc1gWeGzsx5taZL
y2yan7jhCHMqtN5R8AMTDdK4ORPu+sSrghAwkS6KSR0VlVmgbrJQ0WAxRk5bKm7v
R402pLhH2MjsJV48XqvaRTjyT96nbAZ4tdSoyJoHXRvUv9QpFtHSddlnPbEgxJWT
3OLbr+kIpWuaaZNjntLOqe9aPkLEhpw07sGLpT23dYqdehZd12O5+3olULXVBOgg
h8uF4Q9kRtJDpLCd70hUoiyovCxgPbFYUjvmtpCtmNkSCq/txWc3YqOwR+HPe83j
aAsIDnEO6cY6M3uqM1xradU5jzDeMKHJV7XDdXsq9nyQoZ8ytKlKcgM5kNoaqAkT
zeutyjGtQCkJr5V+5Te0JJinVL+xafpwP6749VRUaEWHWk2crkTKxu7/lUK6lgnS
70gLDO1QEJ/edPDC143eRP+dF/d7bN2UF1l+G0F4AcW7kB5mKgOBIWTZSnTmByz5
+HI1touSh9dDcDDuZ7z6k2Obl0fuPY7ROLZQT3BaYGU4M2FGT4sJa6P6VtfufzEB
MHcS14u+3EvHBxhcI8N4WTrBE36FBzPk6R0g+A==
-----END CERTIFICATE-----
```
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/887
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20191223/ac03957a/attachment-0001.html>
More information about the Gnutls-devel
mailing list