<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">

<html lang="en">

<head>

<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">

<title>

GitLab

</title>

<style>img {

max-width: 100%; height: auto;

}

</style>

</head>

<body>

<div class="content">

<p class="details" style="font-style: italic; color: #666;">

<a href="https://gitlab.com/asantoni64">Adriano Santoni</a> created an issue: <a href="https://gitlab.com/gnutls/gnutls/-/issues/1287">#1287</a>

</p>

<div></div>

<p dir="auto">Hello,</p>

<p dir="auto">I am not reporting a bug, I think, but sharing a reasoning and requesting confirmation or an alternative explanation.</p>

<p dir="auto">The attached CSR does not verify with <strong>certtool</strong>:</p>

<pre class="code highlight js-syntax-highlight language-plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">      $ certtool --crq-info --infile <csr-file></span>

<span id="LC2" class="line" lang="plaintext">       Self signature: FAILED</span></code></pre>

<p dir="auto">I suppose this result is correct, in that - based on my investigations and my understanding of RC2986 - the signature in the attached CSR seems to have been computed over its certificationRequestInfo element without first DER-encoding it (as per RFC2986), which means having computed it over the wrong data.</p>

<p dir="auto">In fact, the attached CSR is not already DER-encoded (it contains an unordered multi-value RDN in the Subject field), therefore DER encoding the certificationRequestInfo element yields different bytes than those found in the CSR itself. Hence the FAILED result, if my reasoning is correct.</p>

<p dir="auto">I am not fully sure of my theory, though, and there could be other explanations, so I'd appreciate some GnuTLS developer(s) to confirm it or refute it.</p>

<p dir="auto"><a href="https://gitlab.com/gnutls/gnutls/uploads/fc76184b01038e828238299558ef12ed/problematic-csr.pem" data-canonical-src="/uploads/fc76184b01038e828238299558ef12ed/problematic-csr.pem" data-link="true" class="gfm">problematic-csr.pem</a></p>

</div>

<div class="footer" style="margin-top: 10px;">

<p style="font-size: small; color: #666;">

—

<br>

Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/-/issues/1287">view it on GitLab</a>.

<br>

You're receiving this email because of your account on gitlab.com.

If you'd like to receive fewer emails, you can

<a href="https://gitlab.com/-/sent_notifications/55aa4118cae2df300d7186392aee0ca7/unsubscribe">unsubscribe</a>

from this thread or

adjust your notification settings.

<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/-/issues/1287"}}</script>

</p>

</div>

</body>

</html>