[gnutls-devel] GnuTLS | Name Constraints applied to intermediate CA CN because CA certificate does not have Extended key usage ( (#776)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Thu May 30 21:08:07 CEST 2019

I'll try to be more specific:

1) First, according to https://gitlab.com/gnutls/gnutls/blob/master/lib/x509/verify.c#L678, verify_crt will not apply name constraints against CA certificates. However, AFAIK, name constraints should only be skipped when it is a self-issued certificate, except when it the final certificate in the path. So it should be checked against intermediate CA, specially against subtrees constraints.

> Name constraints are not applied to self-issued certificates (unless
> the certificate is the final certificate in the path).  (This could
> prevent CAs that use name constraints from employing self-issued
> certificates to implement key rollover.)
> https://tools.ietf.org/html/rfc5280#section-

2) If CA certificate should be checked against DNS name constraints, it will try to get SubjAltName.DNS at https://gitlab.com/gnutls/gnutls/blob/master/lib/x509/name_constraints.c#L1196 . Normally, a CA certificate should not have it. Here https://gitlab.com/gnutls/gnutls/blob/master/lib/x509/name_constraints.c#L1223 it is assumed that the certificate being tested is not a CA (but as I mentioned before in 1), it should consider that the cert being tested is a CA). As it assumes that it is not a CA, it only checks key purpose for GNUTLS_KP_TLS_WWW_SERVER. When it did not find Extended key usage (, it assumes that the certificate can be used as TLS WWW Server. Shouldn't it be better to check CA:true and key usage ( before? It might avoid testing CN for a certificate that cannot be used for a TLS Service. I don't know exactly what qualifies a certificate to be used in a TLS Service.

3) Finally, it is a certificate suitable for a TLS Service. Considering that there is no SubjectAltName.DNS, it tests CN https://gitlab.com/gnutls/gnutls/blob/master/lib/x509/name_constraints.c#L1243. Here, it should test if CN is a valid DNS Name (see openssl commit I cited in my last comment) before testing CN against DNS name constraints. It is uncommon but a server certificate can still be usable without SubjAltName.DNS without relying on CN as it can use SubjAltName.IPAddress or SubjAltName.URI. There is no reason to test CN against DNS name constraints if it is not usable as a DNS Name.

BTW, I opened a bug for pidgin problem https://developer.pidgin.im/ticket/17393

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/776#note_176373861
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20190530/e461d26b/attachment.html>

More information about the Gnutls-devel mailing list