[gnutls-devel] GnuTLS | DNS name matching for name constraints is case-sensitive (#1223)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Mon May 3 21:02:50 CEST 2021

Robert Suska created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1223

## Description of problem:

I've noticed that when GnuTLS checks name constraints during validation of X.509 certificates, it performs a case-sensitive matching on DNS names. I think this is a bug, since [RFC 5280](https://www.rfc-editor.org/rfc/rfc5280.txt) (article 7.2) says _"When evaluating name constraints, conforming implementations MUST perform a case-insensitive exact match on a label-by-label basis."_.

## Version of gnutls used:


## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)

RHEL 8.3

## How reproducible:

[example_chain.zip](/uploads/fb73fc696d5db4bf969a6e7556c5046d/example_chain.zip) contains three certificates, where

_root_ca.pem_ specifies a single name constraint:

X509v3 Name Constraints: critical

_server_ok.pem_ has an alternative name:

X509v3 Subject Alternative Name:

_server_error.pem_ has an alternative name:

X509v3 Subject Alternative Name:

a the following two commands need to be run:

certtool --load-ca-certificate root_ca.pem --verify-profile low --verify --infile server_ok.pem

certtool --load-ca-certificate root_ca.pem --verify-profile low --verify --infile server_error.pem

## Actual results:

The validation result for the first chain (with _server_ok.pem_) is

Chain verification output: Verified. The certificate is trusted.

while the validation result for the second chain (with _server_error.pem_) is

Chain verification output: Not verified. The certificate is NOT trusted. The certificate chain violates the signer's constraints.

## Expected results:

It would be expected that both chains are validated successfully.

## Note:

For reference, I've also included a [real_world_example_chain.zip](/uploads/8dd73b9f217b6f3539a8b21fd9919835/real_world_example_chain.zip).

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1223
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20210503/180d0aba/attachment-0001.html>

More information about the Gnutls-devel mailing list