<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">
<title>
GitLab
</title>


<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">

<p class="details" style="font-style: italic; color: #666;">
<a href="https://gitlab.com/dkg">Daniel Kahn Gillmor</a> created an issue: <a href="https://gitlab.com/gnutls/gnutls/-/issues/1238">#1238</a>
</p>
<div></div>
<p dir="auto">Consider a certtool template that contains one of the <a href="https://csrc.nist.gov/CSRC/media/Projects/Computer-Security-Objects-Register/documents/test_policy.pdf" rel="nofollow noreferrer noopener" target="_blank">NIST test policies</a>:</p>
<pre class="code highlight js-syntax-highlight language-plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">policy1 = 2.16.840.1.101.3.2.1.48.1</span></code></pre>
<p dir="auto">but doesn't contain either <code>policy1_txt</code> or <code>policy1_url</code>.</p>
<p dir="auto">In this case, <code>certtool</code> embeds an x509v3 certificatePolicies (2.5.29.32) extension with the value <code>3010300E060A608648016503020130013000</code>, which unpacks to:</p>
<pre class="code highlight js-syntax-highlight language-plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">  0  16: SEQUENCE {</span>
<span id="LC2" class="line" lang="plaintext">  2  14:   SEQUENCE {</span>
<span id="LC3" class="line" lang="plaintext">  4  10:     OBJECT IDENTIFIER nistTestPolicy1 (2 16 840 1 101 3 2 1 48 1)</span>
<span id="LC4" class="line" lang="plaintext"> 16   0:     SEQUENCE {}</span>
<span id="LC5" class="line" lang="plaintext">       :     }</span>
<span id="LC6" class="line" lang="plaintext">       :   }</span></code></pre>
<p dir="auto">RFC 3280 defines this structure as a <code>certificatePolicies</code> structure:</p>
<pre class="code highlight js-syntax-highlight language-plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">   certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation</span>
<span id="LC2" class="line" lang="plaintext"></span>
<span id="LC3" class="line" lang="plaintext">   PolicyInformation ::= SEQUENCE {</span>
<span id="LC4" class="line" lang="plaintext">        policyIdentifier   CertPolicyId,</span>
<span id="LC5" class="line" lang="plaintext">        policyQualifiers   SEQUENCE SIZE (1..MAX) OF</span>
<span id="LC6" class="line" lang="plaintext">                                PolicyQualifierInfo OPTIONAL }</span>
<span id="LC7" class="line" lang="plaintext"></span>
<span id="LC8" class="line" lang="plaintext">   CertPolicyId ::= OBJECT IDENTIFIER</span>
<span id="LC9" class="line" lang="plaintext"></span>
<span id="LC10" class="line" lang="plaintext">   PolicyQualifierInfo ::= SEQUENCE {</span>
<span id="LC11" class="line" lang="plaintext">        policyQualifierId  PolicyQualifierId,</span>
<span id="LC12" class="line" lang="plaintext">        qualifier          ANY DEFINED BY policyQualifierId }</span></code></pre>
<p dir="auto">The final empty sequence (starting at octet 16) is the <code>policyQualifiers</code> object.  This object is optional.  But if it is present, it is a sequence of at least size 1.</p>
<p dir="auto">If there are no qualifiers, <code>certtool</code> should instead omit the <code>policyQualifiers</code> sequence entirely, rather than emitting it as an empty sequence.</p>
<p dir="auto">This was caught by <a href="https://github.com/dcooper16/cert_check" rel="nofollow noreferrer noopener" target="_blank">David Cooper's cert_check</a>.</p>

</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #666;">

<br>
Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/-/issues/1238">view it on GitLab</a>.
<br>
You're receiving this email because of your account on gitlab.com.
If you'd like to receive fewer emails, you can
<a href="https://gitlab.com/-/sent_notifications/6fe0dc39e4e7fd6453c0e625ca30d6cf/unsubscribe">unsubscribe</a>
from this thread or
adjust your notification settings.
<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/-/issues/1238"}}</script>


</p>
</div>
</body>
</html>