[gnutls-devel] GnuTLS | certtool: adding a policy without qualifiers results in empty sequence (#1238)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Fri May 14 23:39:01 CEST 2021



Daniel Kahn Gillmor created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1238



Consider a certtool template that contains one of the [NIST test policies](https://csrc.nist.gov/CSRC/media/Projects/Computer-Security-Objects-Register/documents/test_policy.pdf):

```
policy1 = 2.16.840.1.101.3.2.1.48.1
```

but doesn't contain either `policy1_txt` or `policy1_url`.

In this case, `certtool` embeds an x509v3 certificatePolicies (2.5.29.32) extension with the value `3010300E060A608648016503020130013000`, which unpacks to:

```
  0  16: SEQUENCE {
  2  14:   SEQUENCE {
  4  10:     OBJECT IDENTIFIER nistTestPolicy1 (2 16 840 1 101 3 2 1 48 1)
 16   0:     SEQUENCE {}
       :     }
       :   }
```

RFC 3280 defines this structure as a `certificatePolicies` structure:

```
   certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation

   PolicyInformation ::= SEQUENCE {
        policyIdentifier   CertPolicyId,
        policyQualifiers   SEQUENCE SIZE (1..MAX) OF
                                PolicyQualifierInfo OPTIONAL }

   CertPolicyId ::= OBJECT IDENTIFIER

   PolicyQualifierInfo ::= SEQUENCE {
        policyQualifierId  PolicyQualifierId,
        qualifier          ANY DEFINED BY policyQualifierId }
```

The final empty sequence (starting at octet 16) is the `policyQualifiers` object.  This object is optional.  But if it is present, it is a sequence of at least size 1.

If there are no qualifiers, `certtool` should instead omit the `policyQualifiers` sequence entirely, rather than emitting it as an empty sequence.

This was caught by [David Cooper's cert_check](https://github.com/dcooper16/cert_check).

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1238
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20210514/a255517d/attachment.html>


More information about the Gnutls-devel mailing list