[gnutls-devel] SSL certificate validation bugs in GnuTLS
Suman Jana
suman at cs.utexas.edu
Thu Feb 13 09:33:36 CET 2014
Sorry, one small correction. The "check_if_ca" function is actually
defined in lib/x509/verify.c
and it calls "gnutls_x509_crt_get_ca_status".
Suman
>>> 2. Path length constraints in CA certs should be enforced. GnuTLS
>>> ignores
>>> Path length constraints.
>> Which version of gnutls did you use? GnuTLS supports path length
>> constraints for quite some time now.
> We found the bug in GnuTLS 3.1.9. As you mentioned, GnuTLS 3.1.9
> indeed parses
> the path length constraints. However, it doesn't enforce them. During
> CA certificate
> verification, the function "check_if_ca" is called from verify.c.
> "check_if_ca" is defined in
> lib/x509/x509.c as follows -
>
> int
> gnutls_x509_crt_get_ca_status (gnutls_x509_crt_t cert, unsigned int
> *critical)
> {
> int pathlen;
> unsigned int ca;
> return gnutls_x509_crt_get_basic_constraints (cert, critical, &ca,
> &pathlen);
> }
>
> The problem is that the pathlen value is never checked.
>
More information about the Gnutls-devel
mailing list