cve🔗
cve::cve-2024-0567🔗
Tests CVE-2024-0567.
Produces the following valid trust graph:
leaf -> A1 -> (A <-> B <-> C) -> Root A
In other words: leaf
is signed by intermediate A1
, which in turn is signed
by A
, which is mutually cross-signed by CAs B
and C
. This naively results
in a cycle, which can be resolved because A
is also present as a self-signed
root in the trusted set.
B
and C
also have subordinate CAs (B1
and C1
), but these do not factor
into the constructed chain.
Affects GnuTLS prior to 3.8.3.
- Announcement: https://lists.gnupg.org/pipermail/gnutls-help/2024-January/004841.html
- Patch: https://gitlab.com/gnutls/gnutls/-/commit/9edbdaa84e38b1bfb53a7d72c1de44f8de373405
This testcase is an independent recreation of the testcase in the patch, for CABF conformance.
Expected result | Validation kind | Validation time | Features | Importance | Conflicts | Download |
---|---|---|---|---|---|---|
SUCCESS | SERVER | N/A | N/A | undetermined | N/A | PEM bundle |
Harness | Result | Context |
---|---|---|
gocryptox509-go1.22.7 |
✅ | N/A |
gnutls-certtool-3.7.3 |
❌ (unexpected failure) | Chain verification output: Not verified. The certificate is NOT trusted. The name in the certificate does not match the expected. |
certvalidator-0.11.1 |
❌ (unexpected failure) | The path could not be validated because the end-entity certificate contains the following unsupported critical extension: subject_alt_name |
pyca-cryptography-43.0.1 |
✅ | N/A |
rustls-webpki |
✅ | N/A |
openssl-3.2.3 |
✅ | N/A |
openssl-3.0.15 |
✅ | N/A |
openssl-3.3.2 |
✅ | N/A |
openssl-3.1.7 |
✅ | N/A |
openssl-3.4.0 |
✅ | N/A |
rust-webpki |
✅ | N/A |
openssl-1.1 |
✅ | N/A |