<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">
<title>
GitLab
</title>
<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">
<div></div>
<h2 dir="auto">
<a id="user-content-description-of-problem" class="anchor" href="#description-of-problem" aria-hidden="true"></a>Description of problem:</h2>
<p dir="auto">gnutls rejects intermediate CA when root CA has a name constraint and intermediate CA does not have Extended key usage (2.5.29.37)
pidgin-2.13.0 cannot validate XMPP server certificate and does not connect</p>
<h2 dir="auto">
<a id="user-content-version-of-gnutls-used" class="anchor" href="#version-of-gnutls-used" aria-hidden="true"></a>Version of gnutls used:</h2>
<p dir="auto">3.6.7</p>
<h2 dir="auto">
<a id="user-content-distributor-of-gnutls-eg-ubuntu-fedora-rhel" class="anchor" href="#distributor-of-gnutls-eg-ubuntu-fedora-rhel" aria-hidden="true"></a>Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)</h2>
<p dir="auto">OpenSUSE Tumbleweed</p>
<h2 dir="auto">
<a id="user-content-how-reproducible" class="anchor" href="#how-reproducible" aria-hidden="true"></a>How reproducible:</h2>
<p dir="auto">I have an internal PKI infrastructure like this:</p>
<p dir="auto">Root CA
Intermediate CA
Servers certificates</p>
<p dir="auto">My Root CA have some name constraints that limit Servers certificate to only domains under our control. We have been using this setup for some years now without issues. However, pidgin always failed to authenticate xmpp certificates.</p>
<p dir="auto">pidgin has x509_certificate_signed_by to test a certificate validity. It will be called twice:</p>
<p dir="auto">x509_certificate_signed_by("server_certificate", "Intermediate CA")
x509_certificate_signed_by("Intermediate CA", "Root CA")</p>
<p dir="auto">In that pidgin function, it calls gnutls_x509_crt_verify (a _gnutls_verify_crt_status wrapper) with the comment "Now, check the signature".</p>
<p dir="auto">_gnutls_verify_crt_status eventually calls "verify_crt()" with the comment "Verify the last certificate in the certificate path"</p>
<p dir="auto">One of the tests is:</p>
<p dir="auto">gnutls_x509_name_constraints_check_crt(vparams->nc, GNUTLS_SAN_DNSNAME, cert);</p>
<p dir="auto">Which will test name constraints agains DNSNAME (subjetAltName). However, if no subjetAltName was found, it will also test against CN but only "verify the name constraints against the CN, if the certificate is not a CA. We do this check only on certificates marked as WWW server, because that's where the CN check is only performed.".</p>
<p dir="auto">It checks if it is a "server certificate" and not a CA using _gnutls_check_key_purpose that calls gnutls_x509_crt_get_key_purpose_oid. gnutls_x509_crt_get_key_purpose_oid simply bails out if there is no "2.5.29.37" extension and it assumes that certificate can be used by "any purpose". Well, my Intermediate CA has these key usage (2.5.29.15): "Certificate Sign, CRL Sign" and Basic Constraint CA:TRUE, but not Extended key usage (2.5.29.37).</p>
<p dir="auto">My Intermediate CA is considered as a "Web Server". As it normally happens, my Intermediate CA CN will not be a valid DNS name that satisfy Root CA DNS Name constraint. "Intermediate CA" certificate is rejected and also "Server certificate".</p>
<p dir="auto">Normally a DNS name constraint should not be tested against a CN that does not look like a FQDN.
Also, I might have missed something but it looks like name constraint are tested only against issuer name constraint. However, name constraint should be tested all way down the chain, testing "Server Certificate" names also against Root CA name constraints:</p>
<h2 dir="auto">
<a id="user-content-actual-results" class="anchor" href="#actual-results" aria-hidden="true"></a>Actual results:</h2>
<p dir="auto">Client rejects server certificate blaming that "Intermediate CA" certificate is invalid</p>
<h2 dir="auto">
<a id="user-content-expected-results" class="anchor" href="#expected-results" aria-hidden="true"></a>Expected results:</h2>
<p dir="auto">As any other SSL lib tested, certificate should be accepted.
Also, gnutls-cli does accept that certificate.</p>
<p dir="auto">Is pidgin using something that it shouldn't?</p>
</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #777;">
—
<br>
Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/issues/776">view it on GitLab</a>.
<br>
You're receiving this email because of your account on gitlab.com.
If you'd like to receive fewer emails, you can
<a href="https://gitlab.com/sent_notifications/8e61585a932cf872b617bebed0972b00/unsubscribe">unsubscribe</a>
from this thread or
adjust your notification settings.
<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/issues/776"}}</script>
</p>
</div>
</body>
</html>