Name constraints apply to CN when no SubAltName.DNS is present and the CN is not a valid DNS name
Description of problem:
gnutls rejects intermediate CA when root CA has a name constraint and intermediate CA does not have Extended key usage (22.214.171.124) pidgin-2.13.0 cannot validate XMPP server certificate and does not connect
Version of gnutls used:
Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
I have an internal PKI infrastructure like this:
Root CA Intermediate CA Servers certificates
My Root CA have some name constraints that limit Servers certificate to only domains under our control. We have been using this setup for some years now without issues. However, pidgin always failed to authenticate xmpp certificates.
pidgin has x509_certificate_signed_by to test a certificate validity. It will be called twice:
x509_certificate_signed_by("server_certificate", "Intermediate CA") x509_certificate_signed_by("Intermediate CA", "Root CA")
In that pidgin function, it calls gnutls_x509_crt_verify (a _gnutls_verify_crt_status wrapper) with the comment "Now, check the signature".
_gnutls_verify_crt_status eventually calls "verify_crt()" with the comment "Verify the last certificate in the certificate path"
One of the tests is:
gnutls_x509_name_constraints_check_crt(vparams->nc, GNUTLS_SAN_DNSNAME, cert);
Which will test name constraints agains DNSNAME (subjetAltName). However, if no subjetAltName was found, it will also test against CN but only "verify the name constraints against the CN, if the certificate is not a CA. We do this check only on certificates marked as WWW server, because that's where the CN check is only performed.".
It checks if it is a "server certificate" and not a CA using _gnutls_check_key_purpose that calls gnutls_x509_crt_get_key_purpose_oid. gnutls_x509_crt_get_key_purpose_oid simply bails out if there is no "126.96.36.199" extension and it assumes that certificate can be used by "any purpose". Well, my Intermediate CA has these key usage (188.8.131.52): "Certificate Sign, CRL Sign" and Basic Constraint CA:TRUE, but not Extended key usage (184.108.40.206).
My Intermediate CA is considered as a "Web Server". As it normally happens, my Intermediate CA CN will not be a valid DNS name that satisfy Root CA DNS Name constraint. "Intermediate CA" certificate is rejected and also "Server certificate".
Normally a DNS name constraint should not be tested against a CN that does not look like a FQDN. Also, I might have missed something but it looks like name constraint are tested only against issuer name constraint. However, name constraint should be tested all way down the chain, testing "Server Certificate" names also against Root CA name constraints:
Client rejects server certificate blaming that "Intermediate CA" certificate is invalid
As any other SSL lib tested, certificate should be accepted. Also, gnutls-cli does accept that certificate.
Is pidgin using something that it shouldn't?