[gnutls-devel] GnuTLS | A certificate which has no subject public key is parsed by GnuTLS with inconsistent notifications between v3.5.5 and v.3.6.13. (#1154)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Sat Jan 23 13:36:59 CET 2021



GOODPWDCETCSZ created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1154



## Description of problem:
A certificate which has no subject public key is parsed by GnuTLS.  GnuTLS v3.5.5 notifies that "error: get_key_id: ASN1 parser: Element was not found." while GnuTLS v3.6.13 gives no warning or error. OpenSSL and ZCertificate report error in parsing this certificate.

## Version of gnutls used:
3.5.5, 3.6.13

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Ubuntu

## How reproducible:

Steps to Reproduce:

 * certtool -in --infile seed-0u0.pem

## Actual results:
v3.5.5
```
X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 02
	Issuer: C=UN,ST=NYS,O=UNGA,OU=UNSC,CN=DT
	Validity:
		Not Before: Tue Jun 25 19:55:19 UTC 2019
		Not After: Mon Jan 21 03:29:38 UTC 2030
	Subject: C=UN,ST=NYS,O=UNGA,OU=UNSC-peace,CN=DT-peace
	Extensions:
		Authority Key Identifier (not critical):
			ead39df2fa12151d6b90011f1ddb277fafd165d7
		Subject Key Identifier (not critical):
			bc93a7c14d51a1b11e5dc9c191eadb5b53d5bc58
		Key Usage (critical):
			Certificate signing.
		Basic Constraints (critical):
			Certificate Authority (CA): FALSE
	Signature Algorithm: RSA-SHA256
	Signature:
		9f:71:46:8f:ce:62:f2:05:59:b4:38:c1:d1:d8:40:3e
		34:33:07:7a:57:42:5c:96:27:9f:b9:fe:5c:5f:40:71
		d5:d7:7d:01:4c:07:cd:2c:28:12:cd:07:ca:9b:a3:f2
		14:8f:c3:42:84:bb:d4:7b:18:17:b7:e5:25:96:32:1c
		25:c3:12:5c:46:53:f0:5d:99:9f:e8:7a:c7:d4:c9:fa
		90:c0:15:b9:ce:e2:0c:34:18:35:2b:d8:0b:8a:75:b3
		9e:cf:02:14:d2:c2:1a:4f:3b:9c:0f:70:a8:92:c2:a5
		be:f4:54:54:b2:63:a1:54:22:7d:f4:d6:04:e3:78:1e
		f4:83:a5:a2:b2:d7:de:31:47:13:c7:1b:8f:28:f2:07
		d4:27:45:39:89:e5:73:e2:37:ae:d5:8d:59:d8:03:08
		94:10:65:9c:5b:54:95:e8:73:f3:04:d3:65:83:71:1e
		57:0b:95:68:a4:f3:9e:b5:9e:ad:fb:54:92:df:75:a4
		5d:aa:19:41:a8:bb:bb:96:22:90:82:a6:34:7d:3a:ae
		42:07:20:81:39:4f:4d:04:28:1e:a7:6e:92:b3:26:f1
		21:47:46:48:99:3f:a9:16:39:e4:49:af:30:da:6b:83
		b7:ee:0f:0c:f8:42:32:b7:46:98:01:20:d1:5e:76:0c
		ee:74:57:34:9d:37:3a:87:eb:ca:b8:cc:c2:58:64:b7
		aa:c9:62:7e:48:42:ee:e6:bf:8b:cc:b8:ef:f0:7c:59
		ff:0c:53:e3:e9:2e:61:7c:fb:2d:03:a9:3d:10:22:d6
		2e:6e:79:68:7b:ac:47:a8:4b:30:cf:fb:11:c7:6a:eb
		59:47:ea:51:33:4c:4c:07:73:a6:12:b7:15:85:9c:69
		1e:9b:c0:0a:7d:9e:15:85:57:38:7c:f6:51:4a:c7:a5
		91:e6:00:86:bf:1a:f3:9d:6f:99:b4:a9:78:e1:1a:10
		c0:15:6b:fc:69:6a:bc:02:eb:ab:d7:22:d4:6c:69:e1
		22:11:85:90:e6:97:6b:d5:c0:89:86:63:81:db:df:3f
		48:4f:be:11:a2:30:b7:bf:bd:5b:2c:3f:0e:49:e6:1c
		94:be:52:48:64:35:4c:71:22:9c:a7:21:8b:8e:5d:c5
		a4:80:34:25:e1:29:ac:41:ab:6a:85:5b:b0:3e:3c:18
		cc:15:72:75:80:9d:1d:76:b2:97:b3:d7:b6:48:ca:e3
		37:b1:45:55:69:b6:1d:d8:92:82:01:68:2a:36:a1:24
		df:88:0f:bc:32:86:79:c3:f8:09:8b:c2:15:30:96:90
		64:81:fc:8a:54:e5:cf:de:0e:fc:14:52:03:8d:c6:00
Other Information:
	SHA1 fingerprint:
		7ce3cb5c9182e83dee93c7a54fd2c59e63b0f537
	SHA256 fingerprint:
		676b4d86cca0a5421201013c295ae584fa2fa359cfcf4f7a9dc713b8dca3d892
error: get_key_id: ASN1 parser: Element was not found.

-----BEGIN CERTIFICATE-----
MIIDWDCCAUCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBGMQswCQYDVQQGEwJVTjEM
MAoGA1UECAwDTllTMQ0wCwYDVQQKDARVTkdBMQ0wCwYDVQQLDARVTlNDMQswCQYD
VQQDDAJEVDAiGA8yMDE5MDYyNTE5NTUxOVoYDzIwMzAwMTIxMDMyOTM4WjBSMQsw
CQYDVQQGEwJVTjEMMAoGA1UECAwDTllTMQ0wCwYDVQQKDARVTkdBMRMwEQYDVQQL
DApVTlNDLXBlYWNlMREwDwYDVQQDDAhEVC1wZWFjZTAFMAADAQCjYDBeMB8GA1Ud
IwQYMBaAFOrTnfL6EhUda5ABHx3bJ3+v0WXXMB0GA1UdDgQWBBS8k6fBTVGhsR5d
ycGR6ttbU9W8WDAOBgNVHQ8BAf8EBAMCAgQwDAYDVR0TAQH/BAIwADANBgkqhkiG
9w0BAQsFAAOCAgEAn3FGj85i8gVZtDjB0dhAPjQzB3pXQlyWJ5+5/lxfQHHV130B
TAfNLCgSzQfKm6PyFI/DQoS71HsYF7flJZYyHCXDElxGU/BdmZ/oesfUyfqQwBW5
zuIMNBg1K9gLinWzns8CFNLCGk87nA9wqJLCpb70VFSyY6FUIn301gTjeB70g6Wi
stfeMUcTxxuPKPIH1CdFOYnlc+I3rtWNWdgDCJQQZZxbVJXoc/ME02WDcR5XC5Vo
pPOetZ6t+1SS33WkXaoZQai7u5YikIKmNH06rkIHIIE5T00EKB6nbpKzJvEhR0ZI
mT+pFjnkSa8w2muDt+4PDPhCMrdGmAEg0V52DO50VzSdNzqH68q4zMJYZLeqyWJ+
SELu5r+LzLjv8HxZ/wxT4+kuYXz7LQOpPRAi1i5ueWh7rEeoSzDP+xHHautZR+pR
M0xMB3OmErcVhZxpHpvACn2eFYVXOHz2UUrHpZHmAIa/GvOdb5m0qXjhGhDAFWv8
aWq8Auur1yLUbGnhIhGFkOaXa9XAiYZjgdvfP0hPvhGiMLe/vVssPw5J5hyUvlJI
ZDVMcSKcpyGLjl3FpIA0JeEprEGraoVbsD48GMwVcnWAnR12spez17ZIyuM3sUVV
abYd2JKCAWgqNqEk34gPvDKGecP4CYvCFTCWkGSB/IpU5c/eDvwUUgONxgA=
-----END CERTIFICATE-----
```

**v3.6.13**
```
X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 02
	Issuer: CN=DT,OU=UNSC,O=UNGA,ST=NYS,C=UN
	Validity:
		Not Before: Tue Jun 25 19:55:19 UTC 2019
		Not After: Mon Jan 21 03:29:38 UTC 2030
	Subject: CN=DT-peace,OU=UNSC-peace,O=UNGA,ST=NYS,C=UN
	Extensions:
		Authority Key Identifier (not critical):
			ead39df2fa12151d6b90011f1ddb277fafd165d7
		Subject Key Identifier (not critical):
			bc93a7c14d51a1b11e5dc9c191eadb5b53d5bc58
		Key Usage (critical):
			Certificate signing.
		Basic Constraints (critical):
			Certificate Authority (CA): FALSE
	Signature Algorithm: RSA-SHA256
	Signature:
		9f:71:46:8f:ce:62:f2:05:59:b4:38:c1:d1:d8:40:3e
		34:33:07:7a:57:42:5c:96:27:9f:b9:fe:5c:5f:40:71
		d5:d7:7d:01:4c:07:cd:2c:28:12:cd:07:ca:9b:a3:f2
		14:8f:c3:42:84:bb:d4:7b:18:17:b7:e5:25:96:32:1c
		25:c3:12:5c:46:53:f0:5d:99:9f:e8:7a:c7:d4:c9:fa
		90:c0:15:b9:ce:e2:0c:34:18:35:2b:d8:0b:8a:75:b3
		9e:cf:02:14:d2:c2:1a:4f:3b:9c:0f:70:a8:92:c2:a5
		be:f4:54:54:b2:63:a1:54:22:7d:f4:d6:04:e3:78:1e
		f4:83:a5:a2:b2:d7:de:31:47:13:c7:1b:8f:28:f2:07
		d4:27:45:39:89:e5:73:e2:37:ae:d5:8d:59:d8:03:08
		94:10:65:9c:5b:54:95:e8:73:f3:04:d3:65:83:71:1e
		57:0b:95:68:a4:f3:9e:b5:9e:ad:fb:54:92:df:75:a4
		5d:aa:19:41:a8:bb:bb:96:22:90:82:a6:34:7d:3a:ae
		42:07:20:81:39:4f:4d:04:28:1e:a7:6e:92:b3:26:f1
		21:47:46:48:99:3f:a9:16:39:e4:49:af:30:da:6b:83
		b7:ee:0f:0c:f8:42:32:b7:46:98:01:20:d1:5e:76:0c
		ee:74:57:34:9d:37:3a:87:eb:ca:b8:cc:c2:58:64:b7
		aa:c9:62:7e:48:42:ee:e6:bf:8b:cc:b8:ef:f0:7c:59
		ff:0c:53:e3:e9:2e:61:7c:fb:2d:03:a9:3d:10:22:d6
		2e:6e:79:68:7b:ac:47:a8:4b:30:cf:fb:11:c7:6a:eb
		59:47:ea:51:33:4c:4c:07:73:a6:12:b7:15:85:9c:69
		1e:9b:c0:0a:7d:9e:15:85:57:38:7c:f6:51:4a:c7:a5
		91:e6:00:86:bf:1a:f3:9d:6f:99:b4:a9:78:e1:1a:10
		c0:15:6b:fc:69:6a:bc:02:eb:ab:d7:22:d4:6c:69:e1
		22:11:85:90:e6:97:6b:d5:c0:89:86:63:81:db:df:3f
		48:4f:be:11:a2:30:b7:bf:bd:5b:2c:3f:0e:49:e6:1c
		94:be:52:48:64:35:4c:71:22:9c:a7:21:8b:8e:5d:c5
		a4:80:34:25:e1:29:ac:41:ab:6a:85:5b:b0:3e:3c:18
		cc:15:72:75:80:9d:1d:76:b2:97:b3:d7:b6:48:ca:e3
		37:b1:45:55:69:b6:1d:d8:92:82:01:68:2a:36:a1:24
		df:88:0f:bc:32:86:79:c3:f8:09:8b:c2:15:30:96:90
		64:81:fc:8a:54:e5:cf:de:0e:fc:14:52:03:8d:c6:00
Other Information:
	Fingerprint:
		sha1:7ce3cb5c9182e83dee93c7a54fd2c59e63b0f537
		sha256:676b4d86cca0a5421201013c295ae584fa2fa359cfcf4f7a9dc713b8dca3d892

-----BEGIN CERTIFICATE-----
MIIDWDCCAUCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBGMQswCQYDVQQGEwJVTjEM
MAoGA1UECAwDTllTMQ0wCwYDVQQKDARVTkdBMQ0wCwYDVQQLDARVTlNDMQswCQYD
VQQDDAJEVDAiGA8yMDE5MDYyNTE5NTUxOVoYDzIwMzAwMTIxMDMyOTM4WjBSMQsw
CQYDVQQGEwJVTjEMMAoGA1UECAwDTllTMQ0wCwYDVQQKDARVTkdBMRMwEQYDVQQL
DApVTlNDLXBlYWNlMREwDwYDVQQDDAhEVC1wZWFjZTAFMAADAQCjYDBeMB8GA1Ud
IwQYMBaAFOrTnfL6EhUda5ABHx3bJ3+v0WXXMB0GA1UdDgQWBBS8k6fBTVGhsR5d
ycGR6ttbU9W8WDAOBgNVHQ8BAf8EBAMCAgQwDAYDVR0TAQH/BAIwADANBgkqhkiG
9w0BAQsFAAOCAgEAn3FGj85i8gVZtDjB0dhAPjQzB3pXQlyWJ5+5/lxfQHHV130B
TAfNLCgSzQfKm6PyFI/DQoS71HsYF7flJZYyHCXDElxGU/BdmZ/oesfUyfqQwBW5
zuIMNBg1K9gLinWzns8CFNLCGk87nA9wqJLCpb70VFSyY6FUIn301gTjeB70g6Wi
stfeMUcTxxuPKPIH1CdFOYnlc+I3rtWNWdgDCJQQZZxbVJXoc/ME02WDcR5XC5Vo
pPOetZ6t+1SS33WkXaoZQai7u5YikIKmNH06rkIHIIE5T00EKB6nbpKzJvEhR0ZI
mT+pFjnkSa8w2muDt+4PDPhCMrdGmAEg0V52DO50VzSdNzqH68q4zMJYZLeqyWJ+
SELu5r+LzLjv8HxZ/wxT4+kuYXz7LQOpPRAi1i5ueWh7rEeoSzDP+xHHautZR+pR
M0xMB3OmErcVhZxpHpvACn2eFYVXOHz2UUrHpZHmAIa/GvOdb5m0qXjhGhDAFWv8
aWq8Auur1yLUbGnhIhGFkOaXa9XAiYZjgdvfP0hPvhGiMLe/vVssPw5J5hyUvlJI
ZDVMcSKcpyGLjl3FpIA0JeEprEGraoVbsD48GMwVcnWAnR12spez17ZIyuM3sUVV
abYd2JKCAWgqNqEk34gPvDKGecP4CYvCFTCWkGSB/IpU5c/eDvwUUgONxgA=
-----END CERTIFICATE-----
```

OpenSSL
```
unable to load certificate
139647535469888:error:0D078079:asn1 encoding routines:asn1_item_embed_d2i:field missing:../crypto/asn1/tasn_dec.c:425:Field=algorithm, Type=X509_ALGOR
139647535469888:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:646:Field=algor, Type=X509_PUBKEY
139647535469888:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:646:Field=key, Type=X509_CINF
139647535469888:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:646:Field=cert_info, Type=X509
139647535469888:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:../crypto/pem/pem_oth.c:33:
```

ZCertificate:
```
INFO[0000] reading from seed-0u0.pem                    
INFO[0000] writing to stdout                            
ERRO[0000] could not parse certificate: asn1: syntax error: sequence truncated
```
[seed-0u0.pem](/uploads/060d3deb0910ffa3882436217d763e9d/seed-0u0.pem)
## Expected results:
Consistent warning and error notification.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1154
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20210123/576bdf56/attachment-0001.html>


More information about the Gnutls-devel mailing list