[gnutls-devel] GnuTLS | Subnet mask analysis (#1596)

Tue Dec 3 03:53:46 CET 2024

Daiki Ueno commented: https://gitlab.com/gnutls/gnutls/-/issues/1596#note_2237339116

Sorry for the late response. When running `certtool -i --inder --infile test.der` with `-d10`, I see the following:
```console
|<3>| ASSERT: ../../../lib/x509/name_constraints.c[validate_name_constraints_node]:112
|<3>| ASSERT: ../../../lib/x509/name_constraints.c[_gnutls_extract_name_constraints]:171
|<3>| ASSERT: ../../../lib/x509/x509_ext.c[gnutls_x509_ext_import_name_constraints]:425
```
So the import is actually failing but ignored, resulting in the empty name constraints extension is printed; we should probably print error at import as in [SCTS](https://gitlab.com/gnutls/gnutls/-/blob/403a0e72318388b875e0358c156eed2ab50168e2/lib/x509/output.c). As for verification, it's similar, given the name constraints are empty, it succeeds. However, if you compile gnutls with `--enable-strict-x509`, you would see it is rejected at import time:
```console
src/certtool -d2 -i --inder --infile test.der
Setting log level to 2
|<2>| error: could not parse extension (2.5.29.30)
import error: Error in the certificate.
```
```console
src/certtool -d2 --verify --infile Cases/masktest_n.pem --load-ca-certificate Cases/masktest_n_CA.pem
Setting log level to 2
Note that no verification profile was selected. In the future the medium profile will be enabled by default.
Use --verify-profile low to apply the default verification of NORMAL priority string.
Loaded CAs (1 available)
|<2>| error: could not parse extension (2.5.29.30)
error parsing CRTs: Error in the certificate.
```

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1596#note_2237339116
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20241203/808c99c1/attachment-0001.html>