[gnutls-devel] GnuTLS | DNS name matching for name constraints is case-sensitive (#1223)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Mon May 3 21:02:50 CEST 2021



Robert Suska created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1223



## Description of problem:

I've noticed that when GnuTLS checks name constraints during validation of X.509 certificates, it performs a case-sensitive matching on DNS names. I think this is a bug, since [RFC 5280](https://www.rfc-editor.org/rfc/rfc5280.txt) (article 7.2) says _"When evaluating name constraints, conforming implementations MUST perform a case-insensitive exact match on a label-by-label basis."_.

## Version of gnutls used:

3.6.14

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)

RHEL 8.3

## How reproducible:

[example_chain.zip](/uploads/fb73fc696d5db4bf969a6e7556c5046d/example_chain.zip) contains three certificates, where

_root_ca.pem_ specifies a single name constraint:

```
X509v3 Name Constraints: critical
    Permitted:
      DNS:example.com
```

_server_ok.pem_ has an alternative name:

```
X509v3 Subject Alternative Name:
    DNS:test.example.com
```

_server_error.pem_ has an alternative name:

```
X509v3 Subject Alternative Name:
    DNS:test.EXAMPLE.COM
```

a the following two commands need to be run:

```
certtool --load-ca-certificate root_ca.pem --verify-profile low --verify --infile server_ok.pem
```

```
certtool --load-ca-certificate root_ca.pem --verify-profile low --verify --infile server_error.pem
```

## Actual results:

The validation result for the first chain (with _server_ok.pem_) is

```
Chain verification output: Verified. The certificate is trusted.
```

while the validation result for the second chain (with _server_error.pem_) is

```
Chain verification output: Not verified. The certificate is NOT trusted. The certificate chain violates the signer's constraints.
```

## Expected results:

It would be expected that both chains are validated successfully.

## Note:

For reference, I've also included a [real_world_example_chain.zip](/uploads/8dd73b9f217b6f3539a8b21fd9919835/real_world_example_chain.zip).

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1223
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20210503/180d0aba/attachment-0001.html>


More information about the Gnutls-devel mailing list