[gnutls-devel] GnuTLS | CKA_NSS_SERVER_DISTRUST_AFTER does not work for a system p11 object (#1656)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Wed Feb 5 09:46:22 CET 2025 


Xi Ruoyao created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1656



## Description of problem:

We have such a p11 object which is converted from Mozilla certificate data:

```
[p11-kit-object-v1]
label: "Entrust Root Certification Authority - G2"
class: x-certificate-extension
object-id: 2.5.29.37
value: "0 %06%03U%1d%25%01%01%ff%04%160%14%06%08%2b%06%01%05%05%07%03%04%06%08%2b%06%01%05%05%07%03%01"
modifiable: false
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuoS2ctueDGvimekwAad2
6jK4lUEaydphTlhyz/72gnm/c2EGCqUn2LNf00VOHHLWTjLycooP94MZ0GqAgABF
HrDH55q/ElcnHKNoLwqHvWprDl5l8xx31dSFjXAhtLMy54ui1YY5ArG40kfO5MlJ
xDun3vtUfVe+8OhuwnmyOgtV4lCYFjITXC94VsHClLPyWuQnmp8k18bs0JslguPM
wsRFxYyXegZrKhGfqQpuSDtv29QRGUL3jwe/9VNfnD70FyzmaaxOMkxid+q36OW7
NLwZi66cUee3frVTsTMi5W3PcDwa+uKbZ7aD9I2lr2JMTeBYrGQ0EgP4to2UYySk
cQIDAQAB
-----END PUBLIC KEY-----

[p11-kit-object-v1]
label: "Entrust Root Certification Authority - G2"
trusted: true
nss-mozilla-ca-policy: true
modifiable: false
nss-server-distrust-after: "241130235959Z"
nss-email-distrust-after: "%00"
-----BEGIN CERTIFICATE-----
MIIEPjCCAyagAwIBAgIESlOMKDANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMC
VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50
cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3Qs
IEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVz
dCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzIwHhcNMDkwNzA3MTcy
NTU0WhcNMzAxMjA3MTc1NTU0WjCBvjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVu
dHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwt
dGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0
aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVzdCBSb290IENlcnRpZmlj
YXRpb24gQXV0aG9yaXR5IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC6hLZy254Ma+KZ6TABp3bqMriVQRrJ2mFOWHLP/vaCeb9zYQYKpSfYs1/T
RU4cctZOMvJyig/3gxnQaoCAAEUesMfnmr8SVycco2gvCoe9amsOXmXzHHfV1IWN
cCG0szLni6LVhjkCsbjSR87kyUnEO6fe+1R9V77w6G7CebI6C1XiUJgWMhNcL3hW
wcKUs/Ja5CeanyTXxuzQmyWC48zCxEXFjJd6BmsqEZ+pCm5IO2/b1BEZQvePB7/1
U1+cPvQXLOZprE4yTGJ36rfo5bs0vBmLrpxR57d+tVOxMyLlbc9wPBr64ptntoP0
jaWvYkxN4FisZDQSA/i2jZRjJKRxAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAP
BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRqciZ60B7vfec7aVHUbI2fkBJmqzAN
BgkqhkiG9w0BAQsFAAOCAQEAeZ8dlsa2eT8ijYfThwMEYGprmi5ZiXMRrEPR9RP/
jTkrwPK9T3CMqS/qF8QLVJ7UG5aYMzyorWKiAHarWWluBh1+xLlEjZivEtRh2woZ
Rkfz6/djwUAFQKXSt/S1mja/qYh2iARVBCuch38aNzx+LaUa2NSJXsq9rD1s2G2v
1fN2D807iDginWyTmsQ9v4IbZT+mD12q/OWyFcq1rca8PdCE6OoGcrBNOTJ4vz4R
nAuknZoh8/CbCzB428Hch0P+vGOaysXCHMnHjf87ElgI5rY97HosTvuDls4MPGmH
VHOkc8KT/1EQrBVUAdj8BbGJoX90g5pJ19xOe4pIb4tF9g==
-----END CERTIFICATE-----
```

Note that the certificate has a `nss-server-distrust-after` field.  But when trying a website using this root CA with `gnutls-cli www.fidelity.com -d9999`:

```
|<2>| check_found_cert: cert doesn't match the expected
|<3>| ASSERT: pkcs11.c[find_cert_cb]:4272
|<3>| ASSERT: pkcs11.c[find_cert_cb]:4083
|<2>| get_distrust_after: did not find cert, using issuer DN + serial, using DN only
|<3>| ASSERT: pkcs11.c[_gnutls_pkcs11_get_distrust_after]:4861
|<2>| p11: No login requested.
|<2>| check_found_cert: cert doesn't match the expected
|<3>| ASSERT: pkcs11.c[find_cert_cb]:4272
|<3>| ASSERT: pkcs11.c[find_cert_cb]:4083
|<3>| ASSERT: pkcs11.c[_gnutls_pkcs11_get_distrust_after]:4876
|<2>| get_distrust_after: did not find any cert
```

So it seems GnuTLS has not really found the field.

## Version of gnutls used:

3.8.8

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)

Originally found on Beyond Linux From Scratch, same result on Fedora Rawhide

## How reproducible:

See above.

## Actual results:

GnuTLS accept the certificate (the behavior is correct) but the debug info shows the `nss-server-distrust-after` field isn't found at all.

## Expected results:

GnuTLS still accept the certificate, but after comparing the `nss-server-distrust-after` field.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1656
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20250205/beabfaf1/attachment-0001.html>

More information about the Gnutls-devel mailing list