<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">

<html lang="en">

<head>

<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">

<title>

GitLab

</title>

<style>img {

max-width: 100%; height: auto;

}

</style>

</head>

<body>

<div class="content">

<p class="details" style="font-style: italic; color: #666;">

<a href="https://gitlab.com/dkg">Daniel Kahn Gillmor</a> created an issue: <a href="https://gitlab.com/gnutls/gnutls/-/issues/1238">#1238</a>

</p>

<div></div>

<p dir="auto">Consider a certtool template that contains one of the <a href="https://csrc.nist.gov/CSRC/media/Projects/Computer-Security-Objects-Register/documents/test_policy.pdf" rel="nofollow noreferrer noopener" target="_blank">NIST test policies</a>:</p>

<pre class="code highlight js-syntax-highlight language-plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">policy1 = 2.16.840.1.101.3.2.1.48.1</span></code></pre>

<p dir="auto">but doesn't contain either <code>policy1_txt</code> or <code>policy1_url</code>.</p>

<p dir="auto">In this case, <code>certtool</code> embeds an x509v3 certificatePolicies (2.5.29.32) extension with the value <code>3010300E060A608648016503020130013000</code>, which unpacks to:</p>

<pre class="code highlight js-syntax-highlight language-plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">  0  16: SEQUENCE {</span>

<span id="LC2" class="line" lang="plaintext">  2  14:   SEQUENCE {</span>

<span id="LC3" class="line" lang="plaintext">  4  10:     OBJECT IDENTIFIER nistTestPolicy1 (2 16 840 1 101 3 2 1 48 1)</span>

<span id="LC4" class="line" lang="plaintext"> 16   0:     SEQUENCE {}</span>

<span id="LC5" class="line" lang="plaintext">       :     }</span>

<span id="LC6" class="line" lang="plaintext">       :   }</span></code></pre>

<p dir="auto">RFC 3280 defines this structure as a <code>certificatePolicies</code> structure:</p>

<pre class="code highlight js-syntax-highlight language-plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">   certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation</span>

<span id="LC2" class="line" lang="plaintext"></span>

<span id="LC3" class="line" lang="plaintext">   PolicyInformation ::= SEQUENCE {</span>

<span id="LC4" class="line" lang="plaintext">        policyIdentifier   CertPolicyId,</span>

<span id="LC5" class="line" lang="plaintext">        policyQualifiers   SEQUENCE SIZE (1..MAX) OF</span>

<span id="LC6" class="line" lang="plaintext">                                PolicyQualifierInfo OPTIONAL }</span>

<span id="LC7" class="line" lang="plaintext"></span>

<span id="LC8" class="line" lang="plaintext">   CertPolicyId ::= OBJECT IDENTIFIER</span>

<span id="LC9" class="line" lang="plaintext"></span>

<span id="LC10" class="line" lang="plaintext">   PolicyQualifierInfo ::= SEQUENCE {</span>

<span id="LC11" class="line" lang="plaintext">        policyQualifierId  PolicyQualifierId,</span>

<span id="LC12" class="line" lang="plaintext">        qualifier          ANY DEFINED BY policyQualifierId }</span></code></pre>

<p dir="auto">The final empty sequence (starting at octet 16) is the <code>policyQualifiers</code> object.  This object is optional.  But if it is present, it is a sequence of at least size 1.</p>

<p dir="auto">If there are no qualifiers, <code>certtool</code> should instead omit the <code>policyQualifiers</code> sequence entirely, rather than emitting it as an empty sequence.</p>

<p dir="auto">This was caught by <a href="https://github.com/dcooper16/cert_check" rel="nofollow noreferrer noopener" target="_blank">David Cooper's cert_check</a>.</p>

</div>

<div class="footer" style="margin-top: 10px;">

<p style="font-size: small; color: #666;">

—

<br>

Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/-/issues/1238">view it on GitLab</a>.

<br>

You're receiving this email because of your account on gitlab.com.

If you'd like to receive fewer emails, you can

<a href="https://gitlab.com/-/sent_notifications/6fe0dc39e4e7fd6453c0e625ca30d6cf/unsubscribe">unsubscribe</a>

from this thread or

adjust your notification settings.

<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/-/issues/1238"}}</script>

</p>

</div>

</body>

</html>