<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<title>
GitLab
</title>
<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">
<div></div>
<h2 dir="auto">
<a id="user-content-description-of-problem" class="anchor" href="#description-of-problem" aria-hidden="true"></a>Description of problem:</h2>
<p dir="auto">I think GnuTLS might not be conforming with <a href="https://tools.ietf.org/html/rfc5280#section-4.1.1.2" rel="nofollow noreferrer noopener" target="_blank">RFC5280 section 4.1.1.2</a>.</p>
<blockquote dir="auto">
<p>This field MUST contain the same algorithm identifier as the
signature field in the sequence tbsCertificate (Section 4.1.2.3).</p>
</blockquote>
<p dir="auto">GnuTLS does not consider the parameters of the <code>signatureAlgorithm</code> to be part of the <code>AlgorithmIdentifier</code>, and therefore the outer <code>signatureAlgorithm</code> can be different from the <code>tbsCertificate</code> <code>signatureAlgorithm</code>. This behavior does not match the behaviour of OpenSSL and NSS who do consider the parameters part of the identifier.</p>
<p dir="auto">I think that this isn't a security vulnerability on it's own (although, I am not a cryptographer), because most (do any?) algorithms don't specify any parameters. However, you can modify and add new objects to signed certificates and they will still verify.</p>
<p dir="auto">That <em><strong>really</strong></em> feels like it might have significant consequences, even though I don't have the crypto skills to analyze it.</p>
<h2 dir="auto">
<a id="user-content-version-of-gnutls-used" class="anchor" href="#version-of-gnutls-used" aria-hidden="true"></a>Version of gnutls used:</h2>
<p dir="auto">3.6.6</p>
<h2 dir="auto">
<a id="user-content-distributor-of-gnutls-eg-ubuntu-fedora-rhel" class="anchor" href="#distributor-of-gnutls-eg-ubuntu-fedora-rhel" aria-hidden="true"></a>Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)</h2>
<p dir="auto">Built from source</p>
<h2 dir="auto">
<a id="user-content-how-reproducible" class="anchor" href="#how-reproducible" aria-hidden="true"></a>How reproducible:</h2>
<p dir="auto">I modified <a href="https://crt.sh/?id=18" rel="nofollow noreferrer noopener" target="_blank">this certificate</a> to change the outer <code>signatureAlgorithm</code> to have a 1 byte BIT STRING object (rather than the RFC-required NULL object).</p>
<p dir="auto">I could make the object larger because the signature starts with an empty byte I can truncate (maybe there are certificates with more room).</p>
<p dir="auto">Steps to Reproduce:</p>
<ul dir="auto">
<li>Download the attached pem certificate.</li>
<li>Observe that the file is different from the original.</li>
<li>Notice that gnutls still verifies the certificate.</li>
</ul>
<p dir="auto">OpenSSL does not consider it valid.</p>
<h2 dir="auto">
<a id="user-content-actual-results" class="anchor" href="#actual-results" aria-hidden="true"></a>Actual results:</h2>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">$ certtool --verify-allow-broken --verify --infile AlgorithmIdentifer.parameters.pem</span>
<span id="LC2" class="line" lang="plaintext">Loaded system trust (299 CAs available)</span>
<span id="LC3" class="line" lang="plaintext"> Subject: CN=RapidSSL CA,O=GeoTrust\, Inc.,C=US</span>
<span id="LC4" class="line" lang="plaintext"> Issuer: CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US</span>
<span id="LC5" class="line" lang="plaintext"> Checked against: CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US</span>
<span id="LC6" class="line" lang="plaintext"> Signature algorithm: RSA-SHA1</span>
<span id="LC7" class="line" lang="plaintext"> Output: Verified. The certificate is trusted. </span>
<span id="LC8" class="line" lang="plaintext"></span>
<span id="LC9" class="line" lang="plaintext">Chain verification output: Verified. The certificate is trusted. </span></code></pre>
<h2 dir="auto">
<a id="user-content-expected-results" class="anchor" href="#expected-results" aria-hidden="true"></a>Expected results:</h2>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">$ openssl verify AlgorithmIdentifer.parameters.pem</span>
<span id="LC2" class="line" lang="plaintext">C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA</span>
<span id="LC3" class="line" lang="plaintext">error 7 at 0 depth lookup: certificate signature failure</span>
<span id="LC4" class="line" lang="plaintext">error AlgorithmIdentifer.parameters.pem: verification failed</span></code></pre>
<p dir="auto">If you look at the diff between the two certificates, you can see the changes I made:</p>
<pre class="code highlight js-syntax-highlight diff" lang="diff" v-pre="true"><code><span id="LC1" class="line" lang="diff"><span class="gd">--- /dev/fd/63 2019-02-05 14:13:31.409400948 -0800</span></span>
<span id="LC2" class="line" lang="diff"><span class="gi">+++ /dev/fd/62 2019-02-05 14:13:31.409400948 -0800</span></span>
<span id="LC3" class="line" lang="diff"><span class="gu">@@ -1,4 +1,4 @@</span></span>
<span id="LC4" class="line" lang="diff"><span class="gd">- 0:d=0 hl=4 l= 981 cons: SEQUENCE </span></span>
<span id="LC5" class="line" lang="diff"><span class="gi">+ 0:d=0 hl=4 l= 982 cons: SEQUENCE </span></span>
<span id="LC6" class="line" lang="diff"> 4:d=1 hl=4 l= 701 cons: SEQUENCE </span>
<span id="LC7" class="line" lang="diff"> 8:d=2 hl=2 l= 3 cons: cont [ 0 ] </span>
<span id="LC8" class="line" lang="diff"> 10:d=3 hl=2 l= 1 prim: INTEGER :02</span>
<span id="LC9" class="line" lang="diff"><span class="gu">@@ -62,7 +62,7 @@</span></span>
<span id="LC10" class="line" lang="diff"> 655:d=4 hl=2 l= 52 cons: SEQUENCE </span>
<span id="LC11" class="line" lang="diff"> 657:d=5 hl=2 l= 8 prim: OBJECT :Authority Information Access</span>
<span id="LC12" class="line" lang="diff"> 667:d=5 hl=2 l= 40 prim: OCTET STRING [HEX DUMP]:3026302406082B060105050730018618687474703A2F2F6F6373702E67656F74727573742E636F6D</span>
<span id="LC13" class="line" lang="diff"><span class="gd">- 709:d=1 hl=2 l= 13 cons: SEQUENCE </span></span>
<span id="LC14" class="line" lang="diff"><span class="gi">+ 709:d=1 hl=2 l= 14 cons: SEQUENCE </span></span>
<span id="LC15" class="line" lang="diff"> 711:d=2 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption</span>
<span id="LC16" class="line" lang="diff"><span class="gd">- 722:d=2 hl=2 l= 0 prim: NULL </span></span>
<span id="LC17" class="line" lang="diff"><span class="gd">- 724:d=1 hl=4 l= 257 prim: BIT STRING </span></span>
<span id="LC18" class="line" lang="diff"><span class="gi">+ 722:d=2 hl=2 l= 1 prim: OCTET STRING :A</span></span>
<span id="LC19" class="line" lang="diff"><span class="gi">+ 725:d=1 hl=4 l= 257 prim: BIT STRING </span></span></code></pre>
<p dir="auto">Notice I just added an OCTET STRING where the parameters are supposed to be (in fact, the RFC says it SHALL be NULL, so this is non-conforming)</p>
</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #777777;">
—
<br>
Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/issues/698">view it on GitLab</a>.
<br>
You're receiving this email because of your account on gitlab.com.
If you'd like to receive fewer emails, you can
<a href="https://gitlab.com/sent_notifications/1d1003f0c0312c0e4dce3e581b6b2fcc/unsubscribe">unsubscribe</a>
from this thread or
adjust your notification settings.
<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/issues/698"}}</script>
</p>
</div>
</body>
</html>