[gnutls-devel] GnuTLS | Parse repeated extension (#1612)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Tue Nov 19 03:34:33 CET 2024
dulanshuangqiao created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1612
## Description of the feature:
Try parsing a certificate with duplicate extensions
## Applications that this feature may be relevant to:
In the interests of predictability, it is probably better to reject certificates with duplicated extensions during validation, but not refuse to parse them.
## Is this feature implemented in other libraries (and which)
OpenSSL allows parsing of certificates with repeated extensions, in order to meet predictability
openssl x509 -in Cert17319379201A1.der -noout -text
Certificate:
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:8C:AE:A9:CD:18:10:47:48:33:5D:C6:AC:2B:6A:29:BB:5F:B4:7D:29
DirName:/CN=RandomIssuer-1763/C=US/O=RandomOrg-1011
serial:02:18:94:68:C7
X509v3 Authority Key Identifier:
keyid:8C:AE:A9:CD:18:10:47:48:33:5D:C6:AC:2B:6A:29:BB:5F:B4:7D:29
DirName:/CN=RandomIssuer-1763/C=US/O=RandomOrg-1011
serial:02:18:B9:68:C7
certtool -i --inraw --infile Cert17319379201A1.der
import error: Duplicate extension in X.509 certificate.
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1612
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20241119/1b926158/attachment.html>
More information about the Gnutls-devel
mailing list