<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">
<title>
GitLab
</title>
<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">
<p class="details" style="font-style: italic; color: #666;">
<a href="https://gitlab.com/moschlar">Moritz Schlarb</a> created an issue <a href="https://gitlab.com/gnutls/gnutls/-/issues/1132">#1132</a>:
</p>
<div></div>
<p dir="auto">First of all,
I'm sorry that I had to replace all the actual domain names, but I couldn't reach someone to tell me that it would be okay to post them here...
I hope it doesn't prevent you from having a look.</p>
<h2 dir="auto">
<a id="user-content-description-of-problem" class="anchor" href="#description-of-problem" aria-hidden="true"></a>Description of problem:</h2>
<p dir="auto">I have an (intermediate) certificate (generated and used on Windows) that includes Name Constraints (for Kerberos Principals) that OpenSSL seems to be able to parse (to some extent), but GnuTLS does not (at all):</p>
<p dir="auto">GnuTLS:</p>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">~ # certtool --certificate-info --infile $INTERMEDIATE.pem | grep -C1 "Name Constraints"</span>
<span id="LC2" class="line" lang="plaintext"> Access Location URI: $CDP_URL</span>
<span id="LC3" class="line" lang="plaintext"> Name Constraints (critical):</span>
<span id="LC4" class="line" lang="plaintext"> Signature Algorithm: RSA-SHA256</span></code></pre>
<p dir="auto">OpenSSL:</p>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">~ # openssl x509 -in $INTERMEDIATE.pem -noout -text | grep -A12 "Name Constraints"</span>
<span id="LC2" class="line" lang="plaintext"> X509v3 Name Constraints: critical</span>
<span id="LC3" class="line" lang="plaintext"> Permitted:</span>
<span id="LC4" class="line" lang="plaintext"> othername:<unsupported></span>
<span id="LC5" class="line" lang="plaintext"> othername:<unsupported></span>
<span id="LC6" class="line" lang="plaintext"> email:.$DOMAIN.$TLD</span>
<span id="LC7" class="line" lang="plaintext"> email:@$DOMAIN.$TLD</span>
<span id="LC8" class="line" lang="plaintext"> DNS:$DOMAIN</span>
<span id="LC9" class="line" lang="plaintext"> DNS:.$DOMAIN.$TLD</span>
<span id="LC10" class="line" lang="plaintext"> DNS:$DOMAIN.$TLD</span>
<span id="LC11" class="line" lang="plaintext"> DirName:DC = $TLD, DC = $DOMAIN</span>
<span id="LC12" class="line" lang="plaintext"> URI:http://.$DOMAIN.$TLD</span>
<span id="LC13" class="line" lang="plaintext"> URI:http://$DOMAIN.$TLD</span>
<span id="LC14" class="line" lang="plaintext"></span></code></pre>
<p dir="auto">Windows:</p>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">Permitted</span>
<span id="LC2" class="line" lang="plaintext"> [1]Subtrees (0..Max):</span>
<span id="LC3" class="line" lang="plaintext"> Other Name:</span>
<span id="LC4" class="line" lang="plaintext"> Principal Name=.$DOMAIN.$TLD</span>
<span id="LC5" class="line" lang="plaintext"> [2]Subtrees (0..Max):</span>
<span id="LC6" class="line" lang="plaintext"> Other Name:</span>
<span id="LC7" class="line" lang="plaintext"> Principal Name=@$DOMAIN.$TLD</span>
<span id="LC8" class="line" lang="plaintext"> [3]Subtrees (0..Max):</span>
<span id="LC9" class="line" lang="plaintext"> RFC822 Name=.$DOMAIN.$TLD</span>
<span id="LC10" class="line" lang="plaintext"> [4]Subtrees (0..Max):</span>
<span id="LC11" class="line" lang="plaintext"> RFC822 Name=@$DOMAIN.$TLD</span>
<span id="LC12" class="line" lang="plaintext"> [5]Subtrees (0..Max):</span>
<span id="LC13" class="line" lang="plaintext"> DNS Name=$DOMAIN</span>
<span id="LC14" class="line" lang="plaintext"> [6]Subtrees (0..Max):</span>
<span id="LC15" class="line" lang="plaintext"> DNS Name=.$DOMAIN.$TLD</span>
<span id="LC16" class="line" lang="plaintext"> [7]Subtrees (0..Max):</span>
<span id="LC17" class="line" lang="plaintext"> DNS Name=$DOMAIN.$TLD</span>
<span id="LC18" class="line" lang="plaintext"> [8]Subtrees (0..Max):</span>
<span id="LC19" class="line" lang="plaintext"> Directory Address:</span>
<span id="LC20" class="line" lang="plaintext"> DC=$DOMAIN</span>
<span id="LC21" class="line" lang="plaintext"> DC=$TLD</span>
<span id="LC22" class="line" lang="plaintext"> [9]Subtrees (0..Max):</span>
<span id="LC23" class="line" lang="plaintext"> URL=http://.$DOMAIN.$TLD</span>
<span id="LC24" class="line" lang="plaintext"> [10]Subtrees (0..Max):</span>
<span id="LC25" class="line" lang="plaintext"> URL=http://$DOMAIN.$TLD</span>
<span id="LC26" class="line" lang="plaintext">Excluded=None</span></code></pre>
<h2 dir="auto">
<a id="user-content-version-of-gnutls-used" class="anchor" href="#version-of-gnutls-used" aria-hidden="true"></a>Version of gnutls used:</h2>
<p dir="auto">3.6.7 and 3.7.0</p>
<h2 dir="auto">
<a id="user-content-distributor-of-gnutls-eg-ubuntu-fedora-rhel" class="anchor" href="#distributor-of-gnutls-eg-ubuntu-fedora-rhel" aria-hidden="true"></a>Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)</h2>
<p dir="auto">Debian Stable and Unstable</p>
<h2 dir="auto">
<a id="user-content-how-reproducible" class="anchor" href="#how-reproducible" aria-hidden="true"></a>How reproducible:</h2>
<p dir="auto">I tried to reproduce the certificate setup but it seems impossible to add the unsupported name constraints by OID and I can't create a leaf certificate with a <code>null</code> subject.</p>
<h2 dir="auto">
<a id="user-content-actual-results" class="anchor" href="#actual-results" aria-hidden="true"></a>Actual results:</h2>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">~ # certtool --verify --verify-hostname $LEAF --load-ca-certificate $CA --infile $LEAF</span>
<span id="LC2" class="line" lang="plaintext">Loaded CAs (1 available)</span>
<span id="LC3" class="line" lang="plaintext"> Subject: $INTERMEDIATE</span>
<span id="LC4" class="line" lang="plaintext"> Issuer: $CA</span>
<span id="LC5" class="line" lang="plaintext"> Checked against: $CA</span>
<span id="LC6" class="line" lang="plaintext"> Signature algorithm: RSA-SHA256</span>
<span id="LC7" class="line" lang="plaintext"> Output: Verified. The certificate is trusted. </span>
<span id="LC8" class="line" lang="plaintext"></span>
<span id="LC9" class="line" lang="plaintext"> Subject: (null)</span>
<span id="LC10" class="line" lang="plaintext"> Issuer: $INTERMEDIATE</span>
<span id="LC11" class="line" lang="plaintext"> Checked against: $INTERMEDIATE</span>
<span id="LC12" class="line" lang="plaintext"> Signature algorithm: RSA-SHA256</span>
<span id="LC13" class="line" lang="plaintext"> Output: Not verified. The certificate is NOT trusted. The certificate chain violates the signer's constraints. </span>
<span id="LC14" class="line" lang="plaintext"></span>
<span id="LC15" class="line" lang="plaintext">Chain verification output: Not verified. The certificate is NOT trusted. The certificate chain violates the signer's constraints. </span></code></pre>
<h2 dir="auto">
<a id="user-content-expected-results" class="anchor" href="#expected-results" aria-hidden="true"></a>Expected results:</h2>
<p dir="auto">Leaf certificate should be trusted (it is in OpenSSL):</p>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">openssl verify -CAfile $CA+INTERMEDIATE $LEAF</span>
<span id="LC2" class="line" lang="plaintext">$LEAF: OK</span></code></pre>
</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #666;">
—
<br>
Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/-/issues/1132">view it on GitLab</a>.
<br>
You're receiving this email because of your account on gitlab.com.
If you'd like to receive fewer emails, you can
<a href="https://gitlab.com/-/sent_notifications/7bee2c3613e025428c23f6378df7ddd3/unsubscribe">unsubscribe</a>
from this thread or
adjust your notification settings.
<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/-/issues/1132"}}</script>
</p>
</div>
</body>
</html>