Skip to content

GnuTLS doesn't validate version field when parsing PKCS#8 private key

Description of problem:

RFC 5958 shows Version ::= INTEGER { v1(0), v2(1) } (v1, ..., v2), version identifies the version of OneAsymmetricKey. If publicKey is present, then version is set to v2 else version is set to v1. However, here GnuTLS accepts a key with version number 3, and the attachment is the reproduction file. (In addition, RFC 5208 stipulates that the version number can only be 0.)test.zip

Version of gnutls used:

gnutls-cli 3.7.3

Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)

Ubuntu

How reproducible:

Steps to Reproduce:

  • one:gcc -o test3 test3.c pkg-config --cflags --libs gnutls
  • two:./test3

Actual results:

Accept the key.

Expected results:

Since the version number is 3, it should be rejected.