OpenSSL doesn't treat RFC 3280 validations as an error?

Wed, 13 Nov 2013 02:45:54 -0800 

Hi,

please see the following certificate:

-----BEGIN CERTIFICATE-----
MIIEbTCCA1WgAwIBAgICLgAwDQYJKoZIhvcNAQEFBQAwQDELMAkGA1UEBhMCVVMx
FzAVBgNVBAoTDkdlb1RydXN0LCBJbmMuMRgwFgYDVQQDEw9HZW9UcnVzdCBTU0wg
Q0EwHhcNMTAxMDE5MDQyMDUwWhcNMTUxMDIwMjMzNTI0WjCBhDEpMCcGA1UEBRMg
bnFxRThGb0stQmpPbk9POTBWTE1mM3BBZnYyLUpNaHYxCzAJBgNVBAYTAkRFMQkw
BwYDVQQIEwAxEjAQBgNVBAcTCUthcmxzcnVoZTEUMBIGA1UEChMLbmV0Y3VwIEdt
YkgxFTATBgNVBAMMDCoubmV0Y3VwLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBALGrLGsBDRViP5QEvcNeVXMBMm8F0AmukbxO+OFmvA6E54lCwAn7
ehdJc3ix/+KTKTAuOl33YmB51FUvUFWlf1MwwFRlIsR/oftPM2gthc1+T/IuzhV9
9kP8qM56R5vzivOK7nIh5ZeYbdInhgxOshoADdVHWc8uRefSygcoGOZqAISl6xfd
NRNsaGtZ3mIApG4vxbbx/ZOMKKCEeLW5PlDE0YoGTtjHtPhggi85Z44ibT/SaURz
4z+lrnsjnyN8+8UgL3lrjnXDdsgxoDNB0dyqSQkBX3g2uRhfwXG9v+K7bUhkTZba
ba9XQZcnrO7xo5gy15xYAKA3+lBJAR58FtUCAwEAAaOCASowggEmMB8GA1UdIwQY
MBaAFEJ5VBthzVUrPmPVPEhX9Z/7Rc5KMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUE
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwIwYDVR0RBBwwGoIMKi5uZXRjdXAubmV0
ggpuZXRjdXAubmV0MD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6Ly9ndHNzbC1jcmwu
Z2VvdHJ1c3QuY29tL2NybHMvZ3Rzc2wuY3JsMB0GA1UdDgQWBBSx2qZZO5XjEM7Y
PQzRrKKAZE7FtzAMBgNVHRMBAf8EAjAAMEMGCCsGAQUFBwEBBDcwNTAzBggrBgEF
BQcwAoYnaHR0cDovL2d0c3NsLWFpYS5nZW90cnVzdC5jb20vZ3Rzc2wuY3J0MA0G
CSqGSIb3DQEBBQUAA4IBAQA//wCMkJ9sBtQ4PYoLcvkjrZcvj5o2J5nSIbuOlvbH
alJN5pQye9rpuwlrVHKP2V19Y3zL+rRvrXXQ4f3XHskh/xiNpliqFgVCxV0ikF53
xlXkUlC175vRgksv3CgyIIqnZ9tBfF7OBd5mOSYon2fQjv5RKL+aXXTYZqkO+FMq
AKUt0nsF2vQDRC+AEZJj08tKaAwAVjCGYtn3lh8DpazXWZEUbfW4g2kz4dQMgWYt
9AxmgV724ImDdhcNuBl7pi8IrUuRh+3JMTZ5f2mOqCMBEAD7C7HC7g7qxr4DuTeo
uKnvqzQP10A7f3PBsGYRA2DCeMDavaEoizJnNyjCOQx4
-----END CERTIFICATE-----

It seems to be a valid certificate for OpenSSL, right?

But it isn't, see the OID 2.5.4.8 (stateOrProvinceName):

00000b0: 310b 3009 0603 5504 0613 0244 4531 0930  1.0...U....DE1.0
00000c0: 0706 0355 0408 1300 3112 3010 0603 5504  ...U....1.0...U.
00000d0: 0713 094b 6172 6c73 7275 6865 3114 3012  ...Karlsruhe1.0.

Octal sequence 3109300706035504081300..

The value has zero length. According to RFC 3280, which defines
X.509 certficates, these entries, if they exist, must not have
an empty value.

Am I wrong?


I found this problem while using FileZilla (which uses GnuTLS),
which denied to connect to a host using such a (broken) certificate:

  Error: GnuTLS error -71 in gnutls_x509_crt_get_dn: ASN1 parser: Generic
parsing error.
  Error: Could not get distinguished name of certificate subject,
gnutls_x509_get_dn failed
  Error: Could not connect to server

For further details please see:
https://forum.filezilla-project.org/viewtopic.php?f=2&t=31046

I am wondering why OpenSSL doesn't complain.

Tested with OpenSSL 1.0.1e 11 Feb 2013.


Please tell me what you think:

 - Am I wrong?

 - Isn't that a bug?

 - Is GnuTLS wrong?

 - Did I misunderstood RFC 3280?


Thanks!


-- 
Regards,
Igor

Reply via email to