[gnutls-devel] GnuTLS | cockpit-certificate-ensure: ../../../lib/x509/common.c:1756: _gnutls_sort_clist: Assertion `k == clist_size' failed. (#1521)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Thu Jan 4 08:12:28 CET 2024

Martin Pitt commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1521#note_1713509108

I confirm that this is only about *validating* an user-provided certificate. It would probably be beset if @jlduprat could create a fresh one for reproducing and attach it here?

The validation happens in https://github.com/cockpit-project/cockpit/blob/main/src/tls/cockpit-certificate-ensure.c . Much of the code is unrelated to the problem, it's for finding the PEM/key files, picking apart a merged cert+key file (deprecated), and calling cockpit-certificate-helper in case there is no certificate. The main functionality for `--check` is [here](https://github.com/cockpit-project/cockpit/blob/main/src/tls/cockpit-certificate-ensure.c#L329), where it loads the certificate with `gnutls_certificate_set_x509_key_mem()`, and then calls `gnutls_certificate_get_x509_crt()` and `gnutls_x509_crt_get_expiration_time()` to check for expiration. I suppose one of these places throws the assertion.

> you would need to tell the tool that any of those root certificates are trusted

That doesn't/shouldn't happen via a CLI argument, but by putting the CAs into the usual /etc/pki (Fedora/RHEL) or /etc/ssl (Debian) system-wide trust anchor directories. But this bug report is about the assertion, so we mostly need a good back trace and a standalone reproducer. I'm happy to massage cockpit-certificate-ensure.c into a standalone file which doesn't need any other files from the cockpit tree, once we get the cert files which reproduce this. Alternatively, @jlduprat are you comfortable with installing debug symbols and running `gdb` to generate a back trace yourself?

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1521#note_1713509108
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20240104/a8695ee7/attachment.html>

More information about the Gnutls-devel mailing list