Closed
Bug 174193
Opened 22 years ago
Closed 22 years ago
certutil doesn't verify signature on cert request before issuing cert
Categories
(NSS :: Tools, defect, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
3.7
People
(Reporter: nelson, Assigned: nelson)
References
Details
Attachments
(2 files)
3.51 KB,
patch
|
rrelyea
:
review+
|
Details | Diff | Splinter Review |
3.12 KB,
patch
|
Details | Diff | Splinter Review |
A certificate request is a signed document. The signature proves that the requestor holds the private key that corresponds to the public key in the cert request. Any CA program, including certutil, should verify that signature before honoring it. It appears to me that certutil decodes the signed data, but doesn't actually verify it. So, any requester can get a cert issued. This is very bad if someone is going to use certutil to try to be a real CA. I think the solution is to do something very similar to CERT_VerifySignedData except that the public key is taken from the request, not from a certificate.
Assignee | ||
Comment 1•22 years ago
|
||
I created a new function SECStatus CERT_VerifySignedDataWithPubKeyInfo(CERTSignedData *sd, CERTSubjectPublicKeyInfo *pubKeyInfo, void *wincx) that checks the signature on a certrequest (or any signedData) using the public key info taken from a PublicKeyInfo, such as the one found in the a cert request. This new function will be exported from NSS. I added a call to this function in certutil's function that imports and parses a cert request. Please review.
Assignee | ||
Comment 2•22 years ago
|
||
Bob, please review the patch in this bug. Thanks.
Assignee | ||
Comment 3•22 years ago
|
||
Taking bug, since I have a patch for it already.
Assignee: wtc → nelsonb
Assignee | ||
Updated•22 years ago
|
Priority: -- → P1
Target Milestone: --- → 3.7
Assignee | ||
Comment 4•22 years ago
|
||
Marking assigned. Since I already have a patch for it.
Status: NEW → ASSIGNED
Assignee | ||
Comment 5•22 years ago
|
||
Patch checked in. Marking fixed.
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Comment 6•22 years ago
|
||
Comment on attachment 103261 [details] [diff] [review] new func to check signature on cert request, call from certutil The patch looks fine, thought I would have preferred the interface to take the public key and let the application do the SECKEY_ExtractPublicKey(). bob
Attachment #103261 -
Flags: review+
Assignee | ||
Comment 7•22 years ago
|
||
In light of Bob's comment above, I wrote a new function CERT_VerifySignedDataWithPublicKey, and changed the existing functions CERT_VerifySignedDataWithPubKeyInfo and CERT_VerifySignedData to use this new function, since it contained logic previously common to both. Bob, please review this patch.
You need to log in
before you can comment on or make changes to this bug.
Description
•