Name Constraints parsing failure (unsupported othername)
First of all, I'm sorry that I had to replace all the actual domain names, but I couldn't reach someone to tell me that it would be okay to post them here... I hope it doesn't prevent you from having a look.
Edit: I splashed some printf-debugging all over the code and found that I get GNUTLS_E_ASN1_ELEMENT_NOT_FOUND
on the first permittedSubtrees value:
|<2>| x509_read_value root=permittedSubtrees.?1.base.otherName.value
|<2>| asn1_read_value_type root=permittedSubtrees.?1.base.otherName.value etype=13
|<2>| asn1_read_value nptr=permittedSubtrees.?1.base.otherName.value tmp=
.$DOMAIN.$TLD
Description of problem:
I have an (intermediate) certificate (generated and used on Windows) that includes Name Constraints (for Kerberos Principals) that OpenSSL seems to be able to parse (to some extent), but GnuTLS does not (at all):
GnuTLS:
~ # certtool --certificate-info --infile $INTERMEDIATE.pem | grep -C1 "Name Constraints"
Access Location URI: $CDP_URL
Name Constraints (critical):
Signature Algorithm: RSA-SHA256
OpenSSL:
~ # openssl x509 -in $INTERMEDIATE.pem -noout -text | grep -A12 "Name Constraints"
X509v3 Name Constraints: critical
Permitted:
othername:<unsupported>
othername:<unsupported>
email:.$DOMAIN.$TLD
email:@$DOMAIN.$TLD
DNS:$DOMAIN
DNS:.$DOMAIN.$TLD
DNS:$DOMAIN.$TLD
DirName:DC = $TLD, DC = $DOMAIN
URI:http://.$DOMAIN.$TLD
URI:http://$DOMAIN.$TLD
Windows:
Permitted
[1]Subtrees (0..Max):
Other Name:
Principal Name=.$DOMAIN.$TLD
[2]Subtrees (0..Max):
Other Name:
Principal Name=@$DOMAIN.$TLD
[3]Subtrees (0..Max):
RFC822 Name=.$DOMAIN.$TLD
[4]Subtrees (0..Max):
RFC822 Name=@$DOMAIN.$TLD
[5]Subtrees (0..Max):
DNS Name=$DOMAIN
[6]Subtrees (0..Max):
DNS Name=.$DOMAIN.$TLD
[7]Subtrees (0..Max):
DNS Name=$DOMAIN.$TLD
[8]Subtrees (0..Max):
Directory Address:
DC=$DOMAIN
DC=$TLD
[9]Subtrees (0..Max):
URL=http://.$DOMAIN.$TLD
[10]Subtrees (0..Max):
URL=http://$DOMAIN.$TLD
Excluded=None
Version of gnutls used:
3.6.7 and 3.7.0
Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Debian Stable and Unstable
How reproducible:
I tried to reproduce the certificate setup but it seems impossible to add the unsupported name constraints by OID.
Actual results:
~ # certtool --verify --verify-hostname $LEAF --load-ca-certificate $CA --infile $LEAF
Loaded CAs (1 available)
Subject: $INTERMEDIATE
Issuer: $CA
Checked against: $CA
Signature algorithm: RSA-SHA256
Output: Verified. The certificate is trusted.
Subject: (null)
Issuer: $INTERMEDIATE
Checked against: $INTERMEDIATE
Signature algorithm: RSA-SHA256
Output: Not verified. The certificate is NOT trusted. The certificate chain violates the signer's constraints.
Chain verification output: Not verified. The certificate is NOT trusted. The certificate chain violates the signer's constraints.
Expected results:
Leaf certificate should be trusted (it is in OpenSSL):
openssl verify -CAfile $CA+INTERMEDIATE $LEAF
$LEAF: OK