Maniphest T7171

Allow for empty Subject in X.509
Open, NormalPublic
Actions

Assigned To

None

Authored By

	• werner
	Jun 20 2024, 3:12 PM

Tags

Subscribers

Description

RFC-5280 has somewhat complicated rules on whether the Subject may be empty. On gnupg-users a problem was described with a Sectigo issued certificate. This is the first cert I have seen with empty Subject and critical marked altSubjectName. This is valid but not supported by LibKSBA.

We need to properly parse such a cert and make sure that gpgsm can work with it.

Revisions and Commits

rK libksba
	rKf2e2f320c9de Allow for an empty Subject in certs.
rG GnuPG
	rG3765b42383bb sm: Emit user IDs in colon mode even if the Subject is empty.
	rG1067e544c29d sm: Emit user IDs in colon mode even if the Subject is empty.

Related Objects

Mentioned In: T7030: Release GnuPG 2.4.6
T7189: Release GnuPG 2.5.0
T7173: Release libksba 1.6.7

Event Timeline

• werner triaged this task as Normal priority.Jun 20 2024, 3:12 PM

• werner created this task.

• werner renamed this task from Allow for empty Subject in X.508 to Allow for empty Subject in X.509.Jun 20 2024, 3:27 PM

• werner added a commit: rG1067e544c29d: sm: Emit user IDs in colon mode even if the Subject is empty..Jun 21 2024, 10:21 AM

• werner added a commit: rKf2e2f320c9de: Allow for an empty Subject in certs..Jun 21 2024, 10:33 AM

• werner mentioned this in T7173: Release libksba 1.6.7.Jun 21 2024, 2:09 PM

• werner added a commit: rG3765b42383bb: sm: Emit user IDs in colon mode even if the Subject is empty..Jul 1 2024, 3:13 PM

• werner mentioned this in T7189: Release GnuPG 2.5.0.Jul 5 2024, 2:42 PM

• werner mentioned this in T7030: Release GnuPG 2.4.6.Oct 21 2024, 3:29 PM