Closed Bug 1057123 Opened 11 years ago Closed 11 years ago

mozilla::pkix: allow end-entity certificates to assert keyCertSign in some cases

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla35
Tracking Flags:
Tracking Status
firefox33 + fixed
firefox34 + fixed
firefox35 --- fixed

People

(Reporter: keeler, Assigned: keeler)

References

Details

Attachments

(2 files, 2 obsolete files)

patch v3
76.03 KB, patch
briansmith
: review+
Sylvestre
: approval-mozilla-aurora+
Details | Diff | Splinter Review
patch for beta
75.76 KB, patch
keeler
: review+
Sylvestre
: approval-mozilla-beta+
Details | Diff | Splinter Review
Similarly to bug 1034124, when an end-entity certificate has a key usage extension that asserts keyCertSign, it is technically invalid. However, for compatibility reasons, this error should be overridable. Do do this, we should add a new error (MOZILLA_PKIX_ERROR_END_ENTITY_ASSERTS_KEY_CERT_SIGN or something) and use it in the appropriate place in pkixcheck.cpp (see the patch in bug 1040446). Then, we should make that error overridable by modifying NSSErrorsService.cpp (see the patch in bug 1034124). To test, generate a certificate with this problem in generate_certs.sh and add a test to test_cert_overrides.js.
I suggest that we just replace the check that an end-entity certificate's KU doesn't contain keyCertSign with a comment saying that we allow end-entity certificates (certificates without basicConstraints.cA set to true) to claim keyCertSign for compatibility reasons, but it doesn't matter because we only trust certificates with basicConstraints.cA set to true as CAs.
Attached patch patch (obsolete) — Splinter Review
Ok - I turned the check into a comment. (It looks like none of the key usage tests we had exercised this situation, so I added some tests. Unfortunately, because the generator scripts don't support an add-only mode (i.e. don't regenerate existing certificates), this patch is much larger than it needs to be.)
Assignee: nobody → dkeeler
Status: NEW → ASSIGNED
Attachment #8483111 - Flags: review?(brian)
David, don't you need to update the gtest pkixcheck_CheckKeyUsage_tests.cpp too?
Flags: needinfo?(dkeeler)
Whoops - forgot about that. Thanks.
Flags: needinfo?(dkeeler)
Attachment #8483111 - Attachment is obsolete: true
Attachment #8483111 - Flags: review?(brian)
Attached patch patch v2 (obsolete) — Splinter Review
Attachment #8483143 - Flags: review?(brian)
Comment on attachment 8483143 [details] [diff] [review] patch v2 Review of attachment 8483143 [details] [diff] [review]: ----------------------------------------------------------------- ::: security/pkix/lib/pkixcheck.cpp @@ +154,5 @@ > + // extension (Section 4.2.1.9) MUST also be asserted." > + // However, we allow end-entity certificates (i.e. certificates without > + // basicConstraints.cA set to TRUE) to claim keyCertSign for compatibility > + // reasons. This does not compromise security because we only allow > + // certificates with basicConstraints.cA set to TRUE to act as CAs. I suggest that if requiredKeyUsageIfPresent == keyCertSign and endEntityOrCA == MustBeEndEntity, then we should fail with ERR_INADEQUATE_KEY_USAGE, i.e.: // your comment if (requiredKeyUsage == KeyUsage::keyCertSign && endEntityOrCA != EndEntityOrCA::MustBeCA) { return Result::ERROR_INADEQUATE_KEY_USAGE; } ::: security/pkix/test/gtest/pkixcheck_CheckKeyUsage_tests.cpp @@ -199,5 @@ > -TEST_F(pkixcheck_CheckKeyUsage, keyCertSign) > -{ > - NAMED_SIMPLE_KU(good, 2, 0x04); > - ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &good, > - KeyUsage::keyCertSign)); I think that this result should still be the same. The only thing that should be different is the result of CheckKeyUsage(EndEntityOrCA::MusteEndEntity, &good, Keyusage::someOtherKeyUsage) for an encoded key usage that includes someOtherKeyUsage AND keyCertSign.
Attachment #8483143 - Flags: review?(brian) → review-
(Sorry my suggestion in comment 1 was not well thought out, as you did exactly what I said in comment 1, instead of what I meant. Let me know if you disagree.)
Attached patch patch v3Splinter Review
I think what you outlined in comment 6 sounds like a good solution.
Attachment #8483143 - Attachment is obsolete: true
Attachment #8483641 - Flags: review?(brian)
Attachment #8483641 - Flags: review?(brian) → review+
Thanks for the review. Updating summary to more accurately describe the goal of this bug. https://tbpl.mozilla.org/?tree=Try&rev=9166806dc1d3
Summary: allow overrides for when an end-entity certificate has a key usage extension that asserts keyCertSign → mozilla::pkix: allow end-entity certificates to assert keyCertSign in some cases
https://hg.mozilla.org/mozilla-central/rev/2829560211c8
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla35
Attached patch patch for betaSplinter Review
Approval Request Comment [Feature/regressing bug #]: mozilla::pkix (enabled by default in 31, not disable-able in 33) [User impact if declined]: users won't be able to access HP CommandView servers (see duplicate bugs) [Describe test coverage new/current, TBPL]: has tests [Risks and why]: low [String/UUID change made/needed]: none
Attachment #8493895 - Flags: review+
Attachment #8493895 - Flags: approval-mozilla-beta?
[Tracking Requested - why for this release]: mozilla::pkix compatibility bug (see comment 13)
status-firefox33: --- → affected
status-firefox34: --- → affected
status-firefox35: --- → fixed
tracking-firefox33: --- → ?
tracking-firefox34: --- → ?
Comment on attachment 8483641 [details] [diff] [review] patch v3 Approval Request Comment see comment 13
Attachment #8483641 - Flags: approval-mozilla-aurora?
Attachment #8493895 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Attachment #8483641 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: