[gnutls-devel] GnuTLS | Name Constraints parsing failure (unsupported othername or subject null) (#1132)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Tue Dec 8 10:31:34 CET 2020 


Moritz Schlarb created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1132



First of all,
I'm sorry that I had to replace all the actual domain names, but I couldn't reach someone to tell me that it would be okay to post them here...
I hope it doesn't prevent you from having a look.

## Description of problem:

I have an (intermediate) certificate (generated and used on Windows) that includes Name Constraints (for Kerberos Principals) that OpenSSL seems to be able to parse (to some extent), but GnuTLS does not (at all):

GnuTLS:
```
~ # certtool --certificate-info --infile $INTERMEDIATE.pem | grep -C1 "Name Constraints"
			Access Location URI: $CDP_URL
		Name Constraints (critical):
	Signature Algorithm: RSA-SHA256
```

OpenSSL:
```
~ # openssl x509 -in $INTERMEDIATE.pem -noout -text | grep -A12 "Name Constraints"
            X509v3 Name Constraints: critical
                Permitted:
                  othername:<unsupported>
                  othername:<unsupported>
                  email:.$DOMAIN.$TLD
                  email:@$DOMAIN.$TLD
                  DNS:$DOMAIN
                  DNS:.$DOMAIN.$TLD
                  DNS:$DOMAIN.$TLD
                  DirName:DC = $TLD, DC = $DOMAIN
                  URI:http://.$DOMAIN.$TLD
                  URI:http://$DOMAIN.$TLD

```

Windows:
```
Permitted
     [1]Subtrees (0..Max):
          Other Name:
               Principal Name=.$DOMAIN.$TLD
     [2]Subtrees (0..Max):
          Other Name:
               Principal Name=@$DOMAIN.$TLD
     [3]Subtrees (0..Max):
          RFC822 Name=.$DOMAIN.$TLD
     [4]Subtrees (0..Max):
          RFC822 Name=@$DOMAIN.$TLD
     [5]Subtrees (0..Max):
          DNS Name=$DOMAIN
     [6]Subtrees (0..Max):
          DNS Name=.$DOMAIN.$TLD
     [7]Subtrees (0..Max):
          DNS Name=$DOMAIN.$TLD
     [8]Subtrees (0..Max):
          Directory Address:
               DC=$DOMAIN
               DC=$TLD
     [9]Subtrees (0..Max):
          URL=http://.$DOMAIN.$TLD
     [10]Subtrees (0..Max):
          URL=http://$DOMAIN.$TLD
Excluded=None
```

## Version of gnutls used:

3.6.7 and 3.7.0

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)

Debian Stable and Unstable

## How reproducible:

I tried to reproduce the certificate setup but it seems impossible to add the unsupported name constraints by OID and I can't create a leaf certificate with a `null` subject.

## Actual results:
```
~ # certtool --verify --verify-hostname $LEAF --load-ca-certificate $CA --infile $LEAF
Loaded CAs (1 available)
	Subject: $INTERMEDIATE
	Issuer: $CA
	Checked against: $CA
	Signature algorithm: RSA-SHA256
	Output: Verified. The certificate is trusted. 

	Subject: (null)
	Issuer: $INTERMEDIATE
	Checked against: $INTERMEDIATE
	Signature algorithm: RSA-SHA256
	Output: Not verified. The certificate is NOT trusted. The certificate chain violates the signer's constraints. 

Chain verification output: Not verified. The certificate is NOT trusted. The certificate chain violates the signer's constraints. 
```

## Expected results:

Leaf certificate should be trusted (it is in OpenSSL):
```
openssl verify -CAfile $CA+INTERMEDIATE $LEAF
$LEAF: OK
```

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1132
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20201208/39d346c0/attachment-0001.html>

More information about the Gnutls-devel mailing list