Skip to content

Improve certificate sanity checks

Zoltán Fridrich requested to merge ZoltanFridrich/gnutls:zfridric_devel into master

This patch aims to enforce more stricter certificate sanity checks and make gnutls more RFC 5280 compliant. Some of the sanity checks require --enable-strict-x509 option to be enabled.

  • (strict-x509) parse all certificate extensions when loading the certificate to prohibit random octet strings
  • prohibit any garbage bits in key usage extension
  • prohibit empty DirectoryString in Distinguished name structures of Issuer and Subject name

Closes #1218

Checklist

  • Commits have Signed-off-by: with name/author being identical to the commit author
  • Code modified for feature
  • Test suite updated with functionality tests
  • Test suite updated with negative tests
  • Documentation updated / NEWS entry present (for non-trivial changes)
  • CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout)

Reviewer's checklist:

  • Any issues marked for closing are addressed
  • There is a test suite reasonably covering new functionality or modifications
  • Function naming, parameters, return values, types, etc., are consistent and according to CONTRIBUTION.md
  • This feature/change has adequate documentation added
  • No obvious mistakes in the code
Edited by Daiki Ueno

Merge request reports