cve🔗
cve::cve-2024-0567🔗
Tests CVE-2024-0567.
Produces the following valid trust graph:
leaf -> A1 -> (A <-> B <-> C) -> Root A
In other words: leaf is signed by intermediate A1, which in turn is signed
by A, which is mutually cross-signed by CAs B and C. This naively results
in a cycle, which can be resolved because A is also present as a self-signed
root in the trusted set.
B and C also have subordinate CAs (B1 and C1), but these do not factor
into the constructed chain.
Affects GnuTLS prior to 3.8.3.
- Announcement: https://lists.gnupg.org/pipermail/gnutls-help/2024-January/004841.html
- Patch: https://gitlab.com/gnutls/gnutls/-/commit/9edbdaa84e38b1bfb53a7d72c1de44f8de373405
This testcase is an independent recreation of the testcase in the patch, for CABF conformance.
| Expected result | Validation kind | Validation time | Features | Importance | Conflicts | Download |
|---|---|---|---|---|---|---|
| SUCCESS | SERVER | N/A | N/A | undetermined | N/A | PEM bundle |
| Harness | Result | Context |
|---|---|---|
gnutls-certtool-3.7.3 |
❌ (unexpected failure) | Chain verification output: Not verified. The certificate is NOT trusted. The name in the certificate does not match the expected. |
openssl-3.2.1 |
✅ | N/A |
rust-webpki |
✅ | N/A |
openssl-3.0.13 |
✅ | N/A |
pyca-cryptography-42.0.5 |
✅ | N/A |
openssl-1.1 |
✅ | N/A |
gocryptox509-go1.22.2 |
✅ | N/A |
openssl-3.1.5 |
✅ | N/A |
certvalidator-0.11.1 |
❌ (unexpected failure) | The path could not be validated because the end-entity certificate contains the following unsupported critical extension: subject_alt_name |
rustls-webpki |
✅ | N/A |