[gnutls-devel] GnuTLS | GnuTLS allows unrelated certificates in the certificate chain during client certificate authentication (#1029)

[Development of GNU's TLS library]

Immortalem created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1029



## Description of problem:
GnuTLS allows the client to present, in addition to a valid certificate chain, unrelated additional certificates in its certificate message during client authentication. While this is somewhat allowed in TLS 1.3 it's prohibited in prior versions.

## Version of gnutls used:
3.6.13, 3.6.14

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Compiled from source after cloning the respective branch from GitHub


## How reproducible:

Steps to Reproduce:

* Start `gnutls-serv` with 
    - [ROOTv3_CAv3_LEAF_RSAv3__leaf_certificate1.pem](/uploads/b5997cc58cda614eaf0b63ee2e452756/ROOTv3_CAv3_LEAF_RSAv3__leaf_certificate1.pem) for `--x509certfile`
    - [rsakey_2.pem](/uploads/58a0617004be9d88309f2c490880c65e/rsakey_2.pem) for `--x509keyfile`
    - [root.pem](/uploads/93dc75c17eb4ef983c1f32b32b0ae699/root.pem) for `--x509cafile`
    - require client certificate `-r`
    - verify client certificate `--verify-client-cert`

I am unaware of any currently public tool that allows one to add unrelated certificates in the certificate message during the TLS handshake. Hence I provide two wireshark traces which show a successful handshake, first with an additional certificate after the last intermediate CA certificate and second with an additional certificate between leaf and intermediate CA certificate. Additionally, I provide the certificates used in their order of occurence.

* First trace [AdditionalCertAfterChain.pcapng](/uploads/a0cfc1c6292ee7059d9f8c725f8377ac/AdditionalCertAfterChain.pcapng)
    - [ROOTv3_CAv3_LEAF_RSAv3_AdditionalCertAfterChain__leaf_certificate1.pem](/uploads/2993b988edaaeb5489a96b093849fea0/ROOTv3_CAv3_LEAF_RSAv3_AdditionalCertAfterChain__leaf_certificate1.pem)
    - [ROOTv3_CAv3_LEAF_RSAv3_AdditionalCertAfterChain__ca_certificate1.pem](/uploads/71c0a75d5058a32de59f886915e1960d/ROOTv3_CAv3_LEAF_RSAv3_AdditionalCertAfterChain__ca_certificate1.pem)
    - [ROOTv3_CAv3_LEAF_RSAv3_AdditionalCertAfterChain__attacker_certificate.pem](/uploads/d2ff7599473ffe16b953202ce035a313/ROOTv3_CAv3_LEAF_RSAv3_AdditionalCertAfterChain__attacker_certificate.pem)



* Second trace [AdditionalCertAfterLeaf.pcapng](/uploads/31070d7963feb5156d91052444f46fc4/AdditionalCertAfterLeaf.pcapng)
    - [ROOTv3_CAv3_LEAF_RSAv3_AdditionalCertAfterLeaf__leaf_certificate1.pem](/uploads/5b158c661d1564c4ead5ef45c396fd6c/ROOTv3_CAv3_LEAF_RSAv3_AdditionalCertAfterLeaf__leaf_certificate1.pem)
    - [ROOTv3_CAv3_LEAF_RSAv3_AdditionalCertAfterLeaf__attacker_certificate.pem](/uploads/39e081e44b919380efd5462e27b665b7/ROOTv3_CAv3_LEAF_RSAv3_AdditionalCertAfterLeaf__attacker_certificate.pem)
    - [ROOTv3_CAv3_LEAF_RSAv3_AdditionalCertAfterLeaf__ca_certificate1.pem](/uploads/e2213f1de15b97dccef5864048bb11fa/ROOTv3_CAv3_LEAF_RSAv3_AdditionalCertAfterLeaf__ca_certificate1.pem)

Key for the leaf certificate:
- [rsakey_2.pem](/uploads/58a0617004be9d88309f2c490880c65e/rsakey_2.pem)

## Actual results:
GnuTLS accepts the certificate chain, apparently ignoring the additional, unrelated certificate.

## Expected results:
GnuTLS should reject the certificate chain in TLS 1.2 and prior.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1029
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200611/b47e9b54/attachment.html>