Fwd: [oss-security] please verify unusual x.509 constraints are handled

Nikos Mavrogiannopoulos nmav at gnutls.org
Fri Nov 2 19:06:08 CET 2012

On 10/31/2012 09:22 AM, Daniel Kahn Gillmor wrote:

> * The problem with canonicalization is the subjectName/issuerName DN
>   should be canonicalized, but this isnt always implemented. In this
>   case the PrintableString doesnt match the UTF8String. If this is the
>   only problem with the chain reported, then there is a bug.

I don't really understand what the author means here about
canonicalization of a DN (canonicalization is not a PKIX term), but most
probably he means about the caseIgnoreMatch string comparison algorithm
of RFC5280. This is utter idiocy that we are not going to support in
GnuTLS. The Distinguished name of a certificate isn't copied by a
secretary which may enter an extra space or transform a capital letter
to lower case. A certificate's DN is copied by software which does not
introduce these errors. The only issues we had with our opaque
comparison is on case where these errors were deliberately inserted for
testing, real world certificates do not have any issue.

I really don't know what the PKIX authors were thinking when adopting
this string comparison algorithm from the time of telex.


More information about the Gnutls-help mailing list