[gnutls-devel] GnuTLS | Problematic CSR (self-signature verification fails) (#1287)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Sun Nov 7 10:58:47 CET 2021

Adriano Santoni created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1287


I am not reporting a bug, I think, but sharing a reasoning and requesting confirmation or an alternative explanation.

The attached CSR does not verify with **certtool**:
	$ certtool --crq-info --infile <csr-file>
	Self signature: FAILED

I suppose this result is correct, in that - based on my investigations and my understanding of RC2986 - the signature in the attached CSR seems to have been computed over its certificationRequestInfo element without first DER-encoding it (as per RFC2986), which means having computed it over the wrong data. 

In fact, the attached CSR is not already DER-encoded (it contains an unordered multi-value RDN in the Subject field), therefore DER encoding the certificationRequestInfo element yields different bytes than those found in the CSR itself. Hence the FAILED result, if my reasoning is correct.

I am not fully sure of my theory, though, and there could be other explanations, so I'd appreciate some GnuTLS developer(s) to confirm it or refute it.


Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1287
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20211107/7286cbcb/attachment.html>

More information about the Gnutls-devel mailing list