[gnutls-devel] GnuTLS | GnuTLS doesn't validate version field when parsing PKCS#8 private key (#1715)

[Read-only notification of GnuTLS library development activities]

Lucky Roy created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1715



## Description of problem:
RFC 5958 shows Version ::= INTEGER { v1(0), v2(1) } (v1, ..., v2), version identifies the version of OneAsymmetricKey. If publicKey is present, then version is set to v2 else version is set to v1. However, here GnuTLS accepts a key with version number 3, and the attachment is the reproduction file. (In addition, RFC 5208 stipulates that the version number can only be 0.)[test.zip](/uploads/ac4f0f3233edb1e9eabae1580d21df22/test.zip)

## Version of gnutls used:
gnutls-cli 3.7.3

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Ubuntu

## How reproducible:

Steps to Reproduce:

 * one：gcc -o test3 test3.c `pkg-config --cflags --libs gnutls`
 * two：./test3

## Actual results:
Accept the key.

## Expected results:
Since the version number is 3, it should be rejected.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1715
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20250609/5d2e41c9/attachment.html>