[gnutls-help] gnutls_x509_crl_verify fails for new generated certificates or CRL

[Nikos Mavrogiannopoulos]

On Wed, Nov 30, 2016 at 10:15 PM, Adrien Béraud
<adrien.beraud at savoirfairelinux.com> wrote:
> I make use of GnuTLS certificate revocation list methods, including
> gnutls_x509_crl_verify, but it looks like there some issue:
> gnutls_x509_crl_verify
> calls
> find_crl_issuer,
> which calls
> is_crl_issuer,
> which calls
> _gnutls_x509_compare_raw_dn
>
> However it seems that the raw_dn field is not set for a new generated
> certificate, only for a certificate loaded using gnutls_x509_crt_import
> functions.
> Also it seems the raw_issuer_dn field is not set for a new generated CRL,
> only for a CRL loaded using gnutls_x509_crl_import functions.
> So that gnutls_x509_crl_verify fails when used with new generated
> certificate or CRL.

Right, newly generated CRLs and certificates are not fully usable. I
think I should make that apparent in the _sign() functions of them.
They need to go through the import phase to be used for verification.

> Also this means that if multiple new certificates and a new CRL are provided
> to gnutls_x509_crl_verify, any of the provided certificate will match since
> the raw DN is allays empty so allays equal.
> Fortunately in this case the signature check would fail later in
> gnutls_x509_crl_verify so this might not be a security issue.

DN matching does not offer an security guarrantee. The DN is what the
certificate claims to be, rather than an ID assertion. The matching is
used to discover a possible signer, but does not replace the signature
verification process.

regards,
Nikos