[gnutls-devel] GnuTLS | Certificate is considered as invalid if trust store contains CA cert with duplicating extensions (#1255)

[Read-only notification of GnuTLS library development activities]

Roman Kulikov commented:


If I got it right this logic has been implemented from the very beginning. In commit d02e7a1d22f73 `gnutls_x509_crt_list_import` was added with such chunk of code:
```
+int gnutls_x509_crt_list_import(gnutls_x509_crt_t *certs, unsigned int cert_max,
+    const gnutls_datum_t * data, gnutls_x509_crt_fmt_t format, unsigned int flags)
+{
...
+    do {
...
+       ret = gnutls_x509_crt_import( certs[count], &tmp, GNUTLS_X509_FMT_PEM);
+       if (ret < 0) {
+            gnutls_assert();
+            goto error;
+        }
...
+    } while (cert_max > count && ptr != NULL);
+
+    return count;
+
+error:
+    CLEAR_CERTS;
+    return ret;
+}
```
Sanity check of any certificate in list results in import abort of the whole list.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1255#note_669553228
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20210905/b61bde07/attachment.html>