[gnutls-devel] GnuTLS | cockpit-certificate-ensure: ../../../lib/x509/common.c:1756: _gnutls_sort_clist: Assertion `k == clist_size' failed. (#1521)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Tue Jan 2 17:49:57 CET 2024



Jean-Luc Duprat created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1521



## Description of problem:
Cockpit (which uses gnuTLS) rejects certificate chain with distributed trust.

The provided certificate file contains the certificate C for the TLS endpoint, followed by 3 chains of trust (Interm 2A, Interm 1A, Root A).  The three roots cross-signed each other.

Chain looks like so in PEM format:
C
Interm 2A
Interm 1A
Interm 2B
Interm 1B
Interm 2C
Interm 1C
KeyRootA_SignedB
KeyRootA_SignedC
KeyRootB_SignedA
KeyRootB_SignedC
KeyRootC_SignedA
KeyRootC_SignedB
Root A
Root B
Root C

This is not a public chain.

## Version of gnutls used:
gnutls-3.8.2-2.fc39.x86_64

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Fedora 39

## How reproducible:

Steps to Reproduce:
If I run (checks the certificates that will be used by cockpit):
$ sudo /usr/libexec/cockpit-certificate-ensure --check
with the above chain, I get the following error from gnuTLS 
cockpit-certificate-ensure: ../../../lib/x509/common.c:1756: _gnutls_sort_clist: Assertion `k == clist_size' failed.

If I delete the cross-signed certifications of the roots from the chain, i.e.:
RootA_SignedB
RootA_SignedC
RootB_SignedA
RootB_SignedC
RootC_SignedA
RootC_SignedB

then there is no error.  Sorting this list of certificates should not cause an assertion.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1521
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20240102/1a97c7d4/attachment.html>


More information about the Gnutls-devel mailing list