[gnutls-devel] GnuTLS | verification error on duplicate server cert in chain (#1335)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Sun Jul 17 19:04:19 CEST 2022




Andreas Metzler commented:



After this code block in [verify-high.c](lib/x509/verify-high.c#L1483)
```C
	for (i = 0; i < cert_list_size &&
		     cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; ) {

		unsigned int sorted_size = 1;
		unsigned int j;
		gnutls_x509_crt_t issuer;

		if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) {
			sorted_size = _gnutls_sort_clist(&cert_list[i],
							 cert_list_size - i);
		}
```
The list
~~~
Subject: CN=ci.debian.net
Subject: CN=R3,O=Let's Encrypt,C=US
Subject: CN=ci.debian.net
Subject: CN=ISRG Root X1,O=Internet Security Research Group,C=US
~~~
is resorted properly, moving the duplicate CN=ci.debian.net from position 3 to 4. However the following code-block cannot/does not handle a later duplicate of the first entry and does not remove it.
[verify-high.c](lib/x509/verify-high.c#L1494)
```
/* Remove duplicates. Start with index 1, as the first element
 * may be re-checked after issuer retrieval. */
```

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1335#note_1028739720
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20220717/085d2fa2/attachment.html>


More information about the Gnutls-devel mailing list