[gnutls-devel] GnuTLS | lib/x509: use common routine for parsing data version (!1209)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Thu Mar 12 11:53:57 CET 2020

Dmitry Baryshkov commented on a discussion on lib/x509/common.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1209#note_303806719

>  	else
>  		return gnutls_assert_val(GNUTLS_GOST_PARAMSET_UNKNOWN);
>  }
> +
> +int _gnutls_x509_get_version(asn1_node root, const char *name)
> +{
> +	uint8_t version[8];
> +	int len, result;
> +
> +	len = sizeof(version);
> +	result = asn1_read_value(root, name, version, &len);
> +	if (result != ASN1_SUCCESS) {
> +		if (result == ASN1_ELEMENT_NOT_FOUND)

`TBSCertificate`, `TBSRequest` and `TBSResponse` definitions contain excplicit `Version DEFAULT v1` note.

For CRLs it is quite different (see https://tools.ietf.org/html/rfc5280):
Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }

TBSCertList  ::=  SEQUENCE  {
     version                 Version OPTIONAL,
                                   -- if present, MUST be v2

I think the problem comes from section 5.2 which specifies:
Conforming CAs that issue CRLs are required to include the authority
key identifier (see sec. 5.2.1) and the CRL number (see sec. 5.2.3)
extensions in all CRLs issued.

Which means that all issued CRLs MUST contain version field which should be v2.

x.509 spec from 1997 contains following paragraph:
 If any extensions included in a CertificateList are defined as critical, the version element of the CertificateList shall be
present. If no extensions defined as critical are included, the version element shall be absent. This may permit an implementation
that only supports version 1 CRLs to still use the CRL if in its examination of the revokedCertificates sequence in the CRL, it does
not encounter an extension. An implementation that supports version 2 (or greater) CRLs may be able to optimize its processing if
it can determine early in processing that no critical extensions are present in the CRL.

Judging from this I think that it is safe to default `v1(0)` if there is no `tbsCertList.version` field.

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1209#note_303806719
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200312/cfe6936a/attachment.html>

More information about the Gnutls-devel mailing list