[gnutls-devel] GnuTLS | Gnutls accepts a certificate with invalid Subject Public Key Info (#873)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Thu Dec 12 17:36:11 CET 2019



llqll created an issue: https://gitlab.com/gnutls/gnutls/issues/873



## Description of problem:

I recently created a certificate chain [rootCA,intermediate certificate,leaf certificate], which leaf certificate has an invalid Subject Public Key Info field. Although the subject public key field conforms to the syntax of the bit string, the RSAPublicKey in it does not conform to the syntax. The DER encoded RSAPublicKey is the value of the BIT STRING subjectPublicKey. 

The structure of RSApublickey described in RFC3279 is:

RSAPublicKey ::= SEQUENCE {

 modulus INTEGER, -- n

 publicExponent INTEGER } -- e

Meanwhile, the chain can still pass certificate verification with Gnutls3.6.7, however,the chain was rejected by openssl.
Does Gnutls3.6.7 have a bug here?
(Or do I have some misunderstandings on Gnutls3.6.7 in its parsing or verification procedure?) Will it cause any further problems in certificate verification?

## Version of gnutls used:
Gnutls3.6.7

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)

Ubuntu16.04
## How reproducible:

Steps to Reproduce:

```
certtool --verify --load-ca-certificate 1.pem --infile leaf.pem
```

## Actual results:

The verification returns:
```
Chain verification output: Verified. The certificate is trusted.
```
however, the result of openssl:
```
error 66 at 0 depth lookup: EE certificate key too weak
error leaf.pem: verification failed
```
## Expected results:
Chain verification output: failed.

the 1.pem is:
```
-----BEGIN CERTIFICATE-----
MIIGCDCCA/CgAwIBAgIQY8Mi35RmHbQSpWR8XD7V+zANBgkqhkiG9w0BAQsFADBt
MQswCQYDVQQGEwJDTjEMMAoGA1UECAwDVEo1MQwwCgYDVQQKDANUSlUxFDASBgNV
BAsMC2JlaXlhbmd5dWFuMQswCQYDVQQDDAJDUzEfMB0GCSqGSIb3DQEJARYQbGpm
cG93ZXJAMTYzLmNvbTAgFw0wMDAxMDEwMTAwMDFaGA82NTY2MDMyMzEyMTIzM1ow
ajELMAkGA1UEBhMCQ04xDDAKBgNVBAgMA1RKNTEMMAoGA1UECgwDVEpVMRQwEgYD
VQQLDAtiZWl5YW5neXVhbjENMAsGA1UEAwwEYjMyNjEaMBgGCSqGSIb3DQEJARYL
bGkxQDE2My5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDUWAVE
VHGqn3tPc+kJTGwXpsiD+pwu287ibcwa7nlcQ8KyrwbS/7dnhK3Mpz3jjkbk9Zqw
Ju8R5ku9hEsSX3ZW7KQYj+jqVWVnLNlp5j0a1G2fdB7vn0ORtj9GgFAbKn37cXqo
6G2EyQ0NXhpOiwUtQXSnhbMUUJal2jMSaSGSKyyex9lDrZfSzQ164VIvMKz49kPB
Z6EupA0E6QkwZ1a8wGthdhQ3tJrHt0jcmBVpJ5mo9zlvX7ErsK4prXgJvBQR/IRc
YhqYHxsKLq/mgjezNqy/WoPN313HxDG8YETy8m9BKWI5OLBHIr0kahmBFumttlGa
a4rW+w2NZz8jtrnkM8sFSEoegO7xA8JZdO6O3mSedWOiA2zEuT8hQqkSYDSdZxOd
J1u/mdyumLErXquenaMTAHb0lviNc7llZqDKMJ8yfROZwv9PDCs3OBGOttr3MMRT
JHN5f4ZStqx6unV90Rx8QIh8wstG3c/QrJ4lBS+c72A6bMmxLpiTg1+CjG9ntgvC
mspMbVlu710Y7JHcAuq9RSnR0Nv31AGjOZEpKAGpUfzoVf47GYV38VpLskgy0tiA
Tesse5g8rUE9ozwgj6B34qfNdPxCmv6UkLYxU/CLpw2cRKT8hShAO8zDfgmU9262
ctTdrVU3PsSwMs7F8SlG/9kWq6HgqaBPadCsRwIDAQABo4GkMIGhMB0GA1UdDgQW
BBSSPopRSpZMfPAxCvUPCu4TZmh38DAfBgNVHSMEGDAWgBRyFaB24RFh9c9zf0+D
YA01twtiWjASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjA7BgNV
HREENDAyggdhYmMuY29tggkqLmFiYy5jb22CB3h5ei5jb22CDXd3dy5iYWlkdS5j
b22HBH8AAAEwDQYJKoZIhvcNAQELBQADggIBAJwtzZT7z1eImP8a7GTnfbPYu8k4
kdbGnWSyrEr8x6UjZQLCa1DXdxKkms84yCW1QM5vdKody/Sz1lvETPeTgpXRLlcO
i/75L+Knz1asfz3D+SO/YCSc/VF27GnkKyjFlt7LUmHuFUQoprpCi12wJ0IJP5D6
AQarnWuS2AA4op0exLrK1+BonYyqH//QDt5jhUJFEKQVgckHOtVOklHmazplr8bu
JzHz0+C7mDtZbLXoBSgZIFaVCSk4uxsf98QWOxKQURUv8gAhHLOo/QlkyqiiFCaN
1Se0Zp16pegTxs0qS8qY1pLgw4AO56ifG+LcOmYminbAZtApmiOvtxf8JAw5Twc8
6gLRlq2cv/bY55hZde4uvUzC/Te/zENu9rlv7qQqQ9jS5tiWZjZVqhEt275KymBT
4855pB+8oGb5Xznl6/AzmxUbOmRX1q5bbv+11ZscRtUp3XD3gA5Y5UYBF5UVICcb
zTVUNDgaUjyuXIiF/ZFtbcxX57PfIqKHP3A2XseUhpN3qFSWb29BsTAa7E59s8pL
0m/aftSXF1g/8q0IsHFuZRv4l+eyYWJhwtQTY9TTHnjYJbljcwGtVjYuAfMB+eec
beH0LdKLVbOKlMPySiqy18cKDkwQ1wTPqoZnz5/mKRr5Hpt/RKSe997NjIeuJZl0
W0ebRMo2T0FNhUhm
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGCDCCA/CgAwIBAgIQY8Mi35RmHbQSpWR8XD7V+jANBgkqhkiG9w0BAQsFADBt
MQswCQYDVQQGEwJDTjEMMAoGA1UECAwDVEo1MQwwCgYDVQQKDANUSlUxFDASBgNV
BAsMC2JlaXlhbmd5dWFuMQswCQYDVQQDDAJDUzEfMB0GCSqGSIb3DQEJARYQbGpm
cG93ZXJAMTYzLmNvbTAgFw0wMDAxMDEwMTAwMDBaGA85OTk5MTIyMzExMjMzNFow
bTELMAkGA1UEBhMCQ04xDDAKBgNVBAgMA1RKNTEMMAoGA1UECgwDVEpVMRQwEgYD
VQQLDAtiZWl5YW5neXVhbjELMAkGA1UEAwwCQ1MxHzAdBgkqhkiG9w0BCQEWEGxq
ZnBvd2VyQDE2My5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC+
WcvCnpCA78zG1ZkRhiIPjPEmFx3PHaX5f+KYod68qvCqsRGsB4n7rQS2ljFUZ7MY
4GNWtiMZANdWMuOrnkT0sNmtQ1aXWh+6lMUKLr/690SkKMbKU1y6OTfGBntau6em
1djv9Q8fYmapdne3tr5UNTJBvqc5qivWiF98XUQdp8qGKLYfF0NOxkreD6u4Pddo
/6PR5pn+nbgCHkDFmVGL+0DtZzC+K/NQbKpmP4/Zpolf1C5wPpxWPpjDl/yRSctC
qX1G0WGyB8/w/IR94Gx3rDmA/NkZMP+4tXBFVSoz0XJpdNqCtwxCkl6NqLpMN0gp
XrU78ToNnTiUW4zoyIfKBSlXRkPd4srgB8gTO3cHqJkSmzt/gFMnbBP1gNV10R0P
KzbNuV/uIHx5wGYJIW8w9fL8hKrCYcO5Yfq3VDGy9Lr3/5QFYI36oPLIw0cZS/i+
NyPLYT1TN/o6E8dtnsz1AY+VQyriW44CB6J3tlfrGLigfP81rsaQpcGd+W+0ntyc
cWpzRKwwut3I9CJSGjRuwHfz0n6Fk+Hoj+i+Qv6h/y7+KwqjDMMHIrbieBhUwQbm
Hlyj25IwyvYc6OOBymAyy8pUByAC7QWw4KxogDol6165iAubaupDxkDQXKr/IMmj
pCcTBDmVwhStVBDCD6Lo4HhxDE5a6IA4DSxdWIV2iQIDAQABo4GhMIGeMB0GA1Ud
DgQWBBRyFaB24RFh9c9zf0+DYA01twtiWjAfBgNVHSMEGDAWgBRyFaB24RFh9c9z
f0+DYA01twtiWjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjA7BgNV
HREENDAyggdhYmMuY29tggkqLmFiYy5jb22CB3h5ei5jb22CDXd3dy5iYWlkdS5j
b22HBH8AAAEwDQYJKoZIhvcNAQELBQADggIBAFYRDs+WyMwr8rPCkzFHnMK0ePfD
cWc1O1L02foAePXEicrqQwv7JnsikBsx28E0T+mjqFU+7IIq7K+T0ndlEfax96Gi
j3H8zfwAG10JBFMjsFtdo8Hq6Q4CeMu1D83NPhQacZ1lOdCp/ZUdRvlcveeBx5VX
hFel6erfsR+6GX6I0b2Z9qIBKwmpxLcsPkY60RuazvkSf7xAd4eNJ18vzdo55J1c
x6mJK+c5J63a/IW6rjEd2v6URwwlbOyuRSurXoETMxYwuxs7pBnxA3MRU/OWIaCy
fAO+2ao4qn4WNo4oGo1BJBaX+mQJa+NwCw2F+sRqGZ+3ooSq2bjjXrLxiytr4b+o
fUBiCzhZLOGaRubJXlWp39dgLf6mo3ajjYPhTUtlqv0ZfX97C7xEXitNY3Dy9aqe
NnQn2+u2dkzEMTc+zW5i+xkByRhoSXY5AhYDdyd0Qtuk1T8sRs38TJmavr6/H6hv
6FGrmgqFypmsVy1LdRAn80yVBce1t3eWcgVnTND+wSS8mEj9rHS4th4sZbwwpVWJ
Z0cJSFnqSLMh7ZrDyzcKFUhgdU7GxuaACxIbBt3f5pCp1QDKffb3kVG333l/OLqN
2qYOTP6iFf3JpKttNvaSA9Q+GNk4t/8ozZW6lfyz+uDfmQecEgAv/u1s1brMgQo7
TQ/vJrJvgyxVSgOH
-----END CERTIFICATE-----
```
the leaf.pem is:
```
-----BEGIN CERTIFICATE-----
MIIExzCCAq+gAwIBAgIRAPABuQ6DmexEq0k9QQaewMUwDQYJKoZIhvcNAQELBQAw
ajELMAkGA1UEBhMCQ04xDDAKBgNVBAgMA1RKNTEMMAoGA1UECgwDVEpVMRQwEgYD
VQQLDAtiZWl5YW5neXVhbjENMAsGA1UEAwwEYjMyNjEaMBgGCSqGSIb3DQEJARYL
bGkxQDE2My5jb20wHhcNMDEwMTAxMDEwMDAwWhcNMzUxMjIzMTEyMzM0WjB7MQsw
CQYDVQQGEwJDTjEMMAoGA1UECAwDVEo1MQswCQYDVQQHDAJUSjEMMAoGA1UECgwD
VEpVMRQwEgYDVQQLDAtiZWl5YW5neXVhbjEMMAoGA1UEAwwDTExRMR8wHQYJKoZI
hvcNAQkBFhBsamZwb3dlckAxNjMuY29tMIGqMA0GCSqGSIb3DQEBAQUAA4GYAHbQ
RwFvnLFf2dsnbPBgE8WIDSBIduUcCpXnVRNA0lnlYAAB8igI////f0C4o45iaUQ9
Htd8hjYbdaEvM9CPACC/f2pJ6UhanEUpAAAAZOfnSFqcFWtEwcBSzanrkQHH6NP8
pknE+fUAGEVFRUUsOaICpqT77ZpO9RZdEOWnf8eR24c4osp/N3/Cn9i7b6os333s
hjYBAAGjgc8wgcwwCQYDVR0TBAIwADAdBgNVHQ4EFgQUjQbPWu5jN7z4SYDgxnTo
E9TQCyIwHwYDVR0jBBgwFoAUkj6KUUqWTHzwMQr1DwruE2Zod/AwDgYDVR0PAQH/
BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDBDAoBgNVHREEITAf
ggVhLmNvbYIIKi5hYy5jb22CBnh6LmNvbYcEfwAAATAYBgNVHRIEETAPgg1hYmNl
d3dyd3QuY29tMAwGA1UdJAQFMAOAAQMwDQYJKoZIhvcNAQELBQADggIBAIrlxfaD
mBSBTXKK9/a00U7ZBFeZCXfaaxO/RbtTdPZtf0UNL4ZuUhkBrCaNvsD0Xp6erM41
A/s77syo74IWYh5B0zGsc2jgX6M1xVjrGvDc1Gxr+urhy83MPcT5YGWz1hQrnY9o
RYPAmEBMYqInXiW7VZFJQxV+KSprpEHSDInrINipNrBXBs6eMrGSctHfN7T/1Per
/NZkufA3abTz34psGai6+6aK+boKy4/EHKO7wCpptu6Pl68lmyVcuFuJRS1fkkcy
/kegeq44uL8Fr10J5l10JxW9TvtpBa5WGmduyiMt4noMngxMTRkyyEgAG0nA9yvl
Hmr3UgUkCfzMdPbWHbvYhX0/tHCVBm+uP4QNAdqRdnMoSWuQOjO4T1C8k7SPI6t9
NOipuWn4Kb/oUzTD1GNVPff6zXey+PAYqjk5yJv+QS+TsEAWfWu59GQcNkbeOpYl
MqW4x8W3YzIQ/aDu+SiQ6jo7vpJs0EfopOTRKPRIyJeUWYd780lIRm+CqrHGo824
zzG4X5SbFpbVcIh1gDvySy/tOujWfA3CWYu+Rm7CvAAbPMWhFqwB9pYrFxZfjqzo
p3bRUvn+y4RlQacQq9fEndLoO8eJHsNfBw1OPHON7fg5xTKTms7CqekoXVv2DLLa
mbixAD0Rl9naMfL7Yxc1gns1d3tUq6/3/dMs
-----END CERTIFICATE-----
```

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/873
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20191212/5e3c4506/attachment.html>


More information about the Gnutls-devel mailing list