[gnutls-devel] GnuTLS | certtool says 'warning: signed using a broken signature algorithm that can be forged.' on cert signed with ML-DSA-44 (#1743)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Thu Oct 2 01:04:34 CEST 2025
Stefan Berger created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1743
## Description of problem:
I modified swtpm EK certificate creation code to allow for a CA that has an ML-DSA-44 (or -87) signing key. It looked like the only choice for a hash algorithm was SHAKE-256. The created certificate shows a warning :
```
$ certtool --inder --infile /tmp/ek-secp384r1.crt -i
[...]
Signature Algorithm: ML-DSA-87
warning: signed using a broken signature algorithm that can be forged.
Signature:
[...]
```
My guess is it has something to do with slevel = _INSECURE here:
```
484 if (se->hash != GNUTLS_DIG_UNKNOWN &&
(gdb) print *se
$1 = {name = 0x7ffff7dd90b3 "ML-DSA-87", oid = 0x7ffff7dd90bd "2.16.840.1.101.3.4.3.19", id = GNUTLS_SIGN_MLDSA87, pk = GNUTLS_PK_MLDSA87,
hash = GNUTLS_DIG_SHAKE_256, priv_pk = GNUTLS_PK_UNKNOWN, cert_pk = GNUTLS_PK_UNKNOWN, flags = 5, curve = GNUTLS_ECC_CURVE_INVALID, aid = {
id = "\t\006", tls_sem = 4 '\004'}, slevel = _INSECURE, hash_output_size = 256}
```
Which part is 'insecure'?
## Version of gnutls used:
gnutls-3.8.10-1.fc42.x86_64
## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Fedora 42
## How reproducible:
Here's the base64 encoded cert:
```
MIIT3TCCAbSgAwIBAgIJAP2qqFDaISdNMAsGCWCGSAFlAwQDEzAYMRYwFAYDVQQDEw1zd3RwbS1s
b2NhbGNhMCAXDTI1MTAwMTIyNTkwNVoYDzk5OTkxMjMxMjM1OTU5WjASMRAwDgYDVQQDEwd1bmtu
b3duMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEuKwHRDSlJUcegInn8iu8mWVIF8BKIJq3UANssftS
ryorhfoMDxTBM+vwFGZSRGCDwhObGeOW8UOZS4et+kAnNkzvT9yWv61PXfEPjWEalE+2espvwMU9
dJhQd2aaqcs2o4HMMIHJMBAGA1UdJQQJMAcGBWeBBQgBMFIGA1UdEQEB/wRIMEakRDBCMRYwFAYF
Z4EFAgEMC2lkOjAwMDAxMDE0MRAwDgYFZ4EFAgIMBXN3dHBtMRYwFAYFZ4EFAgMMC2lkOjIwMjQw
MTI1MAwGA1UdEwEB/wQCMAAwIgYDVR0JBBswGTAXBgVngQUCEDEOMAwMAzIuMAIBAAICALcwHwYD
VR0jBBgwFoAULyUrqYRv9I44sIyh4eww3rZAi5YwDgYDVR0PAQH/BAQDAgMIMAsGCWCGSAFlAwQD
EwOCEhQAFlqS+YIw2ezNE+JUGm1eOMGGHeDGq8ifz2QPspzEZywUJ1BnbEhVbW6IiS/XSeo7Pc7E
Cgcba5cxqa2OHKn1ZWUENFGlt7BIuz2YhXwBrzPSaYuzgXnKFPovwXFry4Uz5Oi3fbRhT7hJKNdt
VvGM5cBRU+L86IjeYPv7PQSh/oX6mgi1Cwg/Ti6DkTQQMuUsBnRxBuFvlZp5XtlQA+PgmvYaVIAI
N6gsYmbmJxCHrubm+YJ3tjr0VZUmMBfiHJzmxb+gB5ZLeQE+2zykp0TvF3cNv1cODr4dCJw9L8bs
tyqmdp8j3BHs0mA5sIagqsFMz3ZOaFcvk1GZkQKQpqhEEVWuaVBuBUx8iBDkKzy76Y7AwuSU64Lo
10fhayXZDlua4Nb0uED8K6lT7PNw2bIl3tR6TRLUo3+liMe/rQ4V7oIkAPy8rsg8NaVvZDLX8STW
InTO7SnQI4ekQqOL8hy+gUYQlA5bAgpa4tZqWeE2KMRI+9utSekDq5Fzkq5KgLVlxQyBmsjV1uGy
eswOl3IpOxUE6lTZucEZADkjOuoKYXgfmJNJLdo/hUPBjQebfupgzuVCb/Tqy4V87IQw2IL/0xDN
keJ3UdtGjHYY+Wd6ldGKyFU9Z20Hg4pGJ0rLhshVwHulA80zo4TkOOlXyY/XsBnrowGts9UwYXI2
CuA8D1C4yvR5A95JTaeLAkumrydYQxfX/QeAqR6qqJYLpU8lu2iRHYIdjXkM0Q6S6jseKU/2chp1
AnnIsZHFvjzF7loOJR7g4adOdI/pxSMo+OtbMkkPcAtkYNGhkZ0v+PC0PpN0npjzJ2xR9OAHo86k
feuW1YZ7xz7raFT4EvXVivNdKWeESkDcgQXARN8btTBaeTaf8bc+ahUBYwvjfFb2i10bxx3brn1W
alJ3ZpuqZp8zeEfebJfiY2gv/45GR3COZyJXc+8MdNN/rUDLlDIwyISIg7F6lcwalr42HWvI+ltb
hMrOZEnbxT1V+v95Ob2qlm/IAwfjX9KyEsjz7q7bFDLbU13jQ9DD34UG2Y0r/8mtZBc3O53NHjV/
S3fC9g3el35voVsmoQelC+AcWJxUJXBOBYzvvGL1O+NVA4llsPxILHvo+wS3ep2ytq7ScH8hT+uI
OjLf8yWDqjSSJJCHf7tYFV92uYlxbJAONDi4M/BWU+/tOr3E1A16XpUOco3xWXrMRvxCjqCucpxL
4BZoSd+1GHmQZPGaxaItMS/tZJT0EH+ivS1jxfP8glRkF/6ZWCpNTkzPaX+jQBjJNqu3plsz1mg0
SrUffMKjEMxAQ62tDAbVXbzKtS1/IwnBfAuhwAHZQKwOkb/gBN+eoz7/zmsELjDt593wifmSC53W
psztyiTRMmaDQlLIpIUUT65bGkDW20IrOlJca7GUoP1Nufek+s0IkPO8Y85BPjLN49GAIlTrVnST
dLmeePKFNyvN8lvttUSBSHNf1FaQYv3GvsbjweNteNGnxptvuCQeIBjf1d5n1EwESFkOFnPhqIk3
H0ZZOE85RdJEGZfyyS4XLC8Tao7JuGtm2P/lCDs7ms8g8MsXehmmJqgOEZHtFz8c4EAiDJiB4QwY
MKEbA5HKodEXKkVuNPthiRHrQHJ7K3++wRk9ZFKhwryEt8o+itTG78Shu1CV9p4zDoCn/MHBLrGA
j8QYgleGyagub82q3RGl4X8Tm/IWM5u/66jRPXHPl+id1krQGPE1lqiYlVY9+WiDWkWPLlXj/pOI
OtkUo4v9s8riBiqKJ4iumiuq895x/n2I6QOmNhjPQ5ExjyAM5f/GMuz0YMAzlYgNk54A/BRkYgLn
dbajtxbmFgS/AkQRrvdzQbB8KSsEGxED5pYb3c0kubX7xC/jPSFG2VF/ZJ6XjYRiqCqVMwggoPUV
M6HtwFMDBMa0J5pnLH8vn5MhDg4yqD+cceLQhLbymU7FPKI5ATwu81rXJx1wKguRPH+kSNhjzb0p
G8g1fKwZ/0OSl/Vrl3lUYigFhh6K1Je6/2MVmax9/1w+uHiAbRoVim8Ot+v47ImsyC9AvCIbnHHQ
4EMYW1dmhwJFoaU+Wx/6s6qA4FYNDHmzZlTjRrLQL8smcz0dwvwfaFR6itwD2VgY7hBp4ZW36os9
Pxn11mZ5PY9qYAx6XndnBzkw6fPQtnAdj+cF1OgkE7/IiXLTYvEMMLne5r78PIhF7qQ9LzAsOSH1
cwdyVeMb9kvxZPazzcdtPYm2jgf4V0DDv4NtX/uxeOQ9m9/rOBNhbVlqOZL7e89tBtxoh8+0ZHes
OcI8nuhhwu7TZW8mDUNnDzMHbU+64+SxSkkJJbaHH5rGy8E2P4vlYPPL/XVHi6qYOdXoVOOFm6Dc
ovDBtGFszH3kuOgrK/y5ZTXj+bMHGKTsy4KMOcHJ9W8I/tcR00iaZrhjG/jzsSEcPbyKhuVxnRRy
qZdSI6rTx+NLtx40X+2ad6jW28FUpaeYRwbC2tTttR1vC0DrzHt3xHJGC3a4e93YvqJPydTqrWGX
6Bn/nXPS/UlHIvHGEHXI9V8+05LqJbeIa/i7nnejOZa+dYm5wV9Az1cXdjaKsNcDmLECsbfIXHJq
lItN+oRxqWKlBlQyeF9XRxz7B7xBz+aMKGCxhEYuEImIS8B5Jj1fFuxrYUEcFWvX1ZekGeRTiaPk
UXhXWz+0OtidboBiPKCoGgm7bWV42UY/V4MwJfXBijZPHyjdq/iDrD0H1J0wb2C3CSPZf/nmh2sW
r7yBfRU3q43WDszNarOIe6IO19RngfCnIjFX8L6GPeUiHOUdsEFUjNQUACo/ihwsRx3GARrtEZ/D
Ewqv1Az0RzAaeZW1h2036nW6pjGMAjonLLZozHbYSzEsUElDwVtQmIaeyS5ODux6DrhnkMYeWhrY
AY63CeVSKNh9XAeSqIsUDLrZ6A0DNXZF6a2hAWIEiCuLEuUUsEZBMc3IvMoHtCe0GZXX7e05kTcQ
FNFJK2DKbwvA+iqPA6hxS/yXnGe84/Ts3tOyB5eDvGodSrwxzfvnsr613FfsYYb9UDGyDGSNcIQl
4oPqesYn3hVvU7a2Ad5NUWacX3cuBkCVucRdkH6Eu8vzezB5Y27mMdSs77hqeV4N1wcibThrhqFh
ZbDMZsMjXuvdRJZqAd6droHgh4cma0drbmjNYLGDe0ivejYc65ZIP6YTDXpuJ+22Zo0hH+2twDhf
hyK8m+iy9iU31mxWsNFl1BnsWtur5ay9Fi/YYj8GVKE77Sh+97PPCh4EOxHaELGEYCOJ3AQnxYIF
j6cqEA8rrCNdsyJWna4jqUu5Q79Q3rjkdsbqsJGF0YVhVypiHNnYSCmrVBSLXbZm0SXWBYfrsuvg
dCMlgS2skJym3rmus7cTQ6P+3jVdwwjspQydGGowWWgF/UT0U8Ss+4tl+7YHPlHn8cdy5yazJXNO
ujhhBanP7rN5NHXs9uZfTnn7FiGfYfEloSzNxDIhfgudkNcgUfsZG/j+2nyxSpKfCQGTyTHla1Zr
RoaAvW1AT3nAOTUfr+mnuH0r0BrDyIkzp7LHeMKhfdHNU44k9ABQt97oP7eyFkzBb/SMkBZ1fKtP
ASHmOO+JFrHaNDNssPIhoASF7rlzM4YxxJ2SXmSujCXCpqc3w8+3N1caf9fq7CVheJNyRLFgqPef
5bWQs1Kh8whbOwsVEPg95TnJM0SOoF7Bvzpskvmph82chI6W18PaecgG8lgkqXluHYV4EXkRKhcu
VVU8Y5PillU2FSkmOxuQp9+h1DfkgpeKZMroWev7vAH5+0ltb635hZctFJxwp0sqgSRO6ufjnlhF
erk6C6H/xR5PhTPyRks8qHJUSBHSo0v2m+7gxIh/aSganqS+0nDoXTZKw/lQDBANWY44xwvy8HJ+
grTDVCkJAFqitJWB5M/yyqG1h0LjU6X8yN432fjMml3+X1METCDVeOA6DBx+Y7awJWXHuCAaHOwb
Fu7wPWpshP7Fz+Qg0K+OZf0ek7s69bEFxDGVw+FzVo9EdEIsRD6vsni3UPB8xUiMnba4vPmyRHPH
DO8GD/0HI6ZBRBXmTObGjXiOsi5Rh2CDVA3tSRR5FlarLcyx/vQZB/1pRezhHyDu/HM0dqKBvyEj
naFbO6+p3DDB7V96NMqL3PpwAZw6RGxfPjJMN3uS109D1kyVkTN3c8vLLn0qepLYGEsuAV4zrVxE
U2HHNPAlD4QB4cBTxS0YjrlScYUoLhOTkXXe9pAUR6XgvBNlkzEqFbHPfR60QgYfRXoUJ7vJ5yQx
fe5p83p+i+xWNYKLfP5Zidmz0aKnLYtfA0gJXwuEcLE1sE92R7esIMNkygNHNfK3sWlzfMajPwPC
vIJ+pc6mGVgnacxI6TTZnuqRXEbTJPBYf5qF/h9hBK8K14qrf9/Jp7Ii8jA2V0bhm7i/RWsl/+3W
hM6jRUBiTw0WM2MqaMFhP5bR8ocDrjVAOjaf+N3230yFgABRxAaCaxOGDHLaxFr0ypP7OindrOkq
+72QZFrRJJUDP7ahf6pNS8z0FCstEPYhaChZZ0bk497MTqzDtuugPyiMApMXLvExS71j+WPDofwa
W8k9ZPF2iB+uj50nkYRtK3vxIt8+qPuxCcQqruQJXWBhQj3X2gep2JO2fvIth5RiQ0c52yLvviBo
oTpXyESZZsVBfhgNx2JWfXjmQeADZsGl4ilKqa/OM7xwSqqJzGkyd26h8v8lH/QgRIJeNssUHIsO
dVi5hc5/Hm8c7XXHr1199oHexRT7pPb3g8l2W5xpmpDFWMd/rIOO9tm7nfnUP2jr55yGmuWPMIWq
Ybfnn/Ha8wAHGlaA7R1cpgGkrxG5en5mL0BiHlW7gRTEo4YmcbDnb2gIwlTzyEFJ5VKVPX2bzLpG
Bez5wKzuy79AQMFB9PYecBlkel6nzwijrXGMT+TfAFVMFQAL96BHhO05PRj7yfnWabwXHceRktUR
XvSK+llNRNfrM/dnRfLF1T//CmOWooBfDocDjuVemRSyVtZJJ6z01b30zPBmPSbosDK+aDsSLuaL
spm9jeXsYbv2wxjG9dk8Hac7MFPMwmO6llV6VMJgsTVEksLDATI7eVVcjTEjWiTDO1UfG3n8mfPk
S6ZjIJUN+AlVTPVl7FI8sOj8Tkc8Li2pVubu4krnlJnYQiISLd4rvM+Ws76JaMOLaiLDCZPcIl2i
zDGgXojMgcifbt+WUy+dwgvOdmXw5GesUssP4Jxph1c4fT0TCBrhqgdfqCUiZfFWnK6v7sc4o4L4
+31Rqq5HRGkZ4IBrgsYypsBtHcisZZavwUbGJtBj+pQWEtOr9H6dKeONf5NMrTIQBwe56kIRoyJa
On5SjKk3ijlgNLuR5rcb7LxQxlDeQysy6wg/wKRO4hwVdF5V+NTkw2DcYiB26Ue1RYQRlo6aD44r
0d2b866+k+jN0qndBjFpYvQwKK1sv7hnv5jaRWc0Qtp252o7wsoOpDC12yaJx4f/7ALDg67ch+Om
Aj2BitUMzZSd05yXlQi6xn5wgVWESFkysYnxsxYFLo1X+rNTUG87CziguuSfgihDKeU2ilsxQa6W
C7KKMj8TEuEl9Gz2xHLd4Hddw5N0IVFv0bWrHtEtJOujl0RAYu0JpngPcUylunIvqoXps11zU4Dt
slBuFiaF0WFnlGWHjyb0zE0VUL6EKYFmNxCrVDHMjCTlRZISJw8dli5CE5XRNq9d5sDQG3yW4aF0
NaMB3y0YRxGj1je6oJAbpcq6hL6kXXRj3i+XrjzPO24E9lgX6/raGxk+9OyWGB9JFYKmji7b/60F
+Uu3EHeKMlXcBhGRVGc4+OYWiu12gXNnbSE85u/LnTNIPh1lUKY24vCmItJmWJCfKgj3G7l1tcT/
MUakK1PFFZsK4AawfuHzB9Hq0ir+2B63vT79Engi9xLBfiV5CDVmTZl0sJtN/sFjbxsMSNZkjWHo
fRlCMli6RFajd+GOkGszNdpRKHHGLlvfwt9TeMEBNeNrViYQc5hbL+tp5eIPj5D1tYEWE7VD+Evo
H44mHb9YFXyfZe9cwvLetjtBBmnkKBMueNPNwcRetqre5xkBTIbuRhi8j1mo/9FSd4DE2fEPEiUn
j6Xz+ViXmKO2ztnjGifg8fMNcYH1Glo4i46509r+HSxHcXOLmrvW/QAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAGDhYbHyEoMg==
```
## Expected results:
It shouldn't display the warning.
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1743
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20251001/fc53ca08/attachment-0001.html>
More information about the Gnutls-devel
mailing list