Fwd: [oss-security] please verify unusual x.509 constraints are handled

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Oct 31 09:22:38 CET 2012 

The attached message was sent earlier this year to oss-security,
implying that gnutls does not properly honor pathLenConstraint:

  http://openwall.com/lists/oss-security/2012/06/27/5

I'm unable to replicate the reported results with GnuTLS 2.8.6 (debian
squeeze), 3.0.22 (debian sid) or 3.1 (debian experimental).

What i see is (sid and experimental):

0 dkg at pip:/tmp/certtest$ cat local-cert.pem Mengsk.pem
sms.hallym.ac.kr.pem CA134040001.pem GPKIRootCA.pem | certtool -e
Loaded 5 certificates, 1 CAs and 0 CRLs

	Subject: C=KR,O=Government of Korea,OU=GPKI,CN=CA134040001
	Issuer: C=KR,O=Government of Korea,OU=GPKI,CN=GPKIRootCA
	Output: Not verified.

Chain verification output: Not verified.

1 dkg at pip:/tmp/certtest$


or (squeeze):

0 dkg at stable:~/certtest$ cat local-cert.pem Mengsk.pem
sms.hallym.ac.kr.pem CA134040001.pem GPKIRootCA.pem | certtool -e
Certificate[0]: C=KR,O=Tanaris,CN=localhost
	Issued by: C=KR,ST=Koprulu Sector,O=Terran Dominion,CN=Mengsk
Certificate Authority
	Verifying against certificate[1].
	Verification output: Verified.

Certificate[1]: C=KR,ST=Koprulu Sector,O=Terran Dominion,CN=Mengsk
Certificate Authority
	Issued by: C=KR,O=Government of Korea,OU=Group of Server,OU=교육과학기
술부,CN=sms.hallym.ac.kr
	Verifying against certificate[2].
	Verification output: Verified.

Certificate[2]: C=KR,O=Government of Korea,OU=Group of Server,OU=교육과
학기술부,CN=sms.hallym.ac.kr
	Issued by: C=KR,O=Government of Korea,OU=GPKI,CN=CA134040001
	Verifying against certificate[3].
	Verification output: Verified.

Certificate[3]: C=KR,O=Government of Korea,OU=GPKI,CN=CA134040001
	Issued by: C=KR,O=Government of Korea,OU=GPKI,CN=GPKIRootCA
	Verifying against certificate[4].
	Verification output: Not verified.

Certificate[4]: C=KR,O=Government of Korea,OU=GPKI,CN=GPKIRootCA
	Issued by: C=KR,O=Government of Korea,OU=GPKI,CN=GPKIRootCA
	Verification output: Verified.

Chain verification output: Not verified.
0 dkg at stable:~/certtest$

I'm happy to follow up to the original reporter, but i want to be sure
that i understand what's going on.

any pointers or suggestions?

	--dkg
-------------- next part --------------
An embedded message was scrubbed...
From: Tavis Ormandy <taviso at cmpxchg8b.com>
Subject: [oss-security] please verify unusual x.509 constraints are handled
Date: Wed, 27 Jun 2012 15:13:18 +0200
Size: 27423
URL: </pipermail/attachments/20121031/8e020d78/attachment.eml>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20121031/8e020d78/attachment.pgp>

More information about the Gnutls-help mailing list