[gnutls-devel] GnuTLS | certtool: adding a policy without qualifiers results in empty sequence (#1238)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Fri May 14 23:39:01 CEST 2021
Daniel Kahn Gillmor created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1238
Consider a certtool template that contains one of the [NIST test policies](https://csrc.nist.gov/CSRC/media/Projects/Computer-Security-Objects-Register/documents/test_policy.pdf):
```
policy1 = 2.16.840.1.101.3.2.1.48.1
```
but doesn't contain either `policy1_txt` or `policy1_url`.
In this case, `certtool` embeds an x509v3 certificatePolicies (2.5.29.32) extension with the value `3010300E060A608648016503020130013000`, which unpacks to:
```
0 16: SEQUENCE {
2 14: SEQUENCE {
4 10: OBJECT IDENTIFIER nistTestPolicy1 (2 16 840 1 101 3 2 1 48 1)
16 0: SEQUENCE {}
: }
: }
```
RFC 3280 defines this structure as a `certificatePolicies` structure:
```
certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
PolicyInformation ::= SEQUENCE {
policyIdentifier CertPolicyId,
policyQualifiers SEQUENCE SIZE (1..MAX) OF
PolicyQualifierInfo OPTIONAL }
CertPolicyId ::= OBJECT IDENTIFIER
PolicyQualifierInfo ::= SEQUENCE {
policyQualifierId PolicyQualifierId,
qualifier ANY DEFINED BY policyQualifierId }
```
The final empty sequence (starting at octet 16) is the `policyQualifiers` object. This object is optional. But if it is present, it is a sequence of at least size 1.
If there are no qualifiers, `certtool` should instead omit the `policyQualifiers` sequence entirely, rather than emitting it as an empty sequence.
This was caught by [David Cooper's cert_check](https://github.com/dcooper16/cert_check).
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1238
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20210514/a255517d/attachment.html>
More information about the Gnutls-devel
mailing list