Giters

wolfSSL / wolfssl

The wolfSSL library is a small, fast, portable implementation of TLS/SSL for embedded devices to the cloud. wolfSSL supports up to TLS 1.3 and DTLS 1.3!

Home Page:https://www.wolfssl.com

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[Bug]: X509_NAME_cmp returns != 0 for subject names that only differ in capitalization

colmenero opened this issue · comments

commented

Contact Details

colmenero.sendra@gmail.com

Version

5.5.1 (but I tested it on master as well, see reproducer)

Description

wolfSSL compares directly the subject name strings and capitalization matters. On the other hand, OpenSSL's X509_NAME_cmp compares the canonical encoding representation, which is always lowercase; capitalization of the original subject names doesn't matter. There is a difference in behavior between both crypto libraries.

The next question is, should capitalization matter?
According to the X509 RFC, section 4.1.2.6:

Where it is non-empty, the subject field MUST contain an X.500 distinguished name (DN). Implementations of this specification MAY use the comparison rules in Section 7.1[...]

In that section we have:

Comparisons of domainComponent attributes MUST be performed as specified in Section 7.3.

And in that one:

Conforming implementations shall perform a case-insensitive exact match when comparing domainComponent attributes in distinguished names

So I would understand that capitalization does not matter when comparing subject names.

Reproduction steps

x509_name_cmp.zip

I've attached a reproducer that reads two certificates that have subject names only differing in capitalization. The reproducer then compares the subject names. You can see that OpenSSL returns that the subject names are equal, but wolfSSL says that they are different.

Relevant log output

No response

commented

Hi @colmenero ,

I was able to reproduce and fix the problem very easily thanks to your excellent reproducer. I didn't even need to rebuild the applications!

Can you please let me know a bit about yourself and your project? What are your goals? What are you trying to achieve? Is this for personal, professional or academic interest? Any information you would be willing to share would be greatly appreciated.

Warm regards, Anthony

commented

Hi @anhu,

I'm glad to hear that it was issue to reproduce and fix.

This is for professional interest. I work for a company that develops a product that can use either OpenSSL or wolfSSL as crypto library. In fact, I believe we have wolfSSL support because we've previously contacted you through another person in the organization. In any case, you are always very responsive in GitHub and this was a small fix so I opening a bug report seemed like a good option.

Thanks for the help!