<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">
<title>
GitLab
</title>


<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">

<p class="details" style="font-style: italic; color: #777;">
<a href="https://gitlab.com/Immortalem">Immortalem</a> created an issue <a href="https://gitlab.com/gnutls/gnutls/-/issues/1032">#1032</a>:
</p>
<div></div>
<h2 dir="auto">
<a id="user-content-description-of-problem" class="anchor" href="#description-of-problem" aria-hidden="true"></a>Description of problem:</h2>
<p dir="auto">During TLS client certificate authentication GnuTLS accepts a leaf certificate that contains non NULL parameters in the signatureAlgorithm and signature fields even though the respective signature algorithm, in this case sha256withRSAEncryption, requires the parameters to be NULL.</p>
<h2 dir="auto">
<a id="user-content-version-of-gnutls-used" class="anchor" href="#version-of-gnutls-used" aria-hidden="true"></a>Version of gnutls used:</h2>
<p dir="auto">3.6.13, 3.6.14</p>
<h2 dir="auto">
<a id="user-content-distributor-of-gnutls-eg-ubuntu-fedora-rhel" class="anchor" href="#distributor-of-gnutls-eg-ubuntu-fedora-rhel" aria-hidden="true"></a>Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)</h2>
<p dir="auto">Compiled from source after cloning the respective branch from GitHub</p>
<h2 dir="auto">
<a id="user-content-how-reproducible" class="anchor" href="#how-reproducible" aria-hidden="true"></a>How reproducible:</h2>
<p dir="auto">Steps to Reproduce:</p>
<ul dir="auto">
<li>Start <code>gnutls-serv</code> with
<ul>
<li>
<a href="https://gitlab.com/gnutls/gnutls/uploads/1712ccd3fd67ee3efd0dc0b3764bf80f/ROOTv3_CAv3_LEAF_RSAv3__leaf_certificate1.pem" data-link="true" class="gfm">ROOTv3_CAv3_LEAF_RSAv3__leaf_certificate1.pem</a> for <code>--x509certfile</code>
</li>
<li>
<a href="https://gitlab.com/gnutls/gnutls/uploads/20e983c02290ac8b02c8e527cfdb3345/rsakey_2.pem" data-link="true" class="gfm">rsakey_2.pem</a> for <code>--x509keyfile</code>
</li>
<li>
<a href="https://gitlab.com/gnutls/gnutls/uploads/efcc33c618ecfca6784ee40998ede142/root.pem" data-link="true" class="gfm">root.pem</a> for <code>--x509cafile</code>
</li>
<li>require client certificate <code>-r</code>
</li>
<li>verify client certificate <code>--verify-client-cert</code>
</li>
</ul>
</li>
<li>Use OpenSSL <code>s_client</code> or similar tool to connect to the server using the following two certificates. This example uses OpenSSL.
<ul>
<li><code>openssl s_client -connect localhost:4444 -cert ROOTv3_CAv3_LEAF_RSAv3_MalformedAlgorithmParameters__leaf_certificate1.pem -key rsakey_2.pem -CAfile ROOTv3_CAv3_LEAF_RSAv3_MalformedAlgorithmParameters__ca_certificate1.pem</code></li>
<li><a href="https://gitlab.com/gnutls/gnutls/uploads/8e7782b17a8c4f9bd42c3065d15e4572/ROOTv3_CAv3_LEAF_RSAv3_MalformedAlgorithmParameters__leaf_certificate1.pem" data-link="true" class="gfm">ROOTv3_CAv3_LEAF_RSAv3_MalformedAlgorithmParameters__leaf_certificate1.pem</a></li>
<li><a href="https://gitlab.com/gnutls/gnutls/uploads/114c4b752b1ed62fb67b06588150ef95/ROOTv3_CAv3_LEAF_RSAv3_MalformedAlgorithmParameters__ca_certificate1.pem" data-link="true" class="gfm">ROOTv3_CAv3_LEAF_RSAv3_MalformedAlgorithmParameters__ca_certificate1.pem</a></li>
<li><a href="https://gitlab.com/gnutls/gnutls/uploads/20e983c02290ac8b02c8e527cfdb3345/rsakey_2.pem" data-link="true" class="gfm">rsakey_2.pem</a></li>
</ul>
</li>
</ul>
<h2 dir="auto">
<a id="user-content-actual-results" class="anchor" href="#actual-results" aria-hidden="true"></a>Actual results:</h2>
<p dir="auto">GnuTLS considers the certificate valid even though it violates the specified values and proceeds with the handshake.</p>
<h2 dir="auto">
<a id="user-content-expected-results" class="anchor" href="#expected-results" aria-hidden="true"></a>Expected results:</h2>
<p dir="auto">GnuTLS should reject the certificate since it violates the <a href="https://tools.ietf.org/html/rfc3279#section-2.2.1" rel="nofollow noreferrer noopener" target="_blank">specification</a>.</p>

</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #777;">

<br>
Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/-/issues/1032">view it on GitLab</a>.
<br>
You're receiving this email because of your account on gitlab.com.
If you'd like to receive fewer emails, you can
<a href="https://gitlab.com/-/sent_notifications/0f9473945a6b5ef6fd1fdfe701fc7906/unsubscribe">unsubscribe</a>
from this thread or
adjust your notification settings.
<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/-/issues/1032"}}</script>


</p>
</div>
</body>
</html>