Closed Bug 1265499 Opened 4 years ago Closed 4 years ago

Ensure the content signature verifier checks that the EKU extension is present

Categories

(Core :: Security: PSM, defect)

defect
Not set

Tracking

()

RESOLVED WONTFIX

People

(Reporter: mgoodwin, Assigned: mgoodwin)

References

Details

Attachments

(1 file)

No description provided.
It would be better to add a flag to mozilla::pkix's BuildCertChain indicating that the EKU is required, and calling out this text in RFC 5280: "Certificate using applications MAY require that the extended key usage extension be present and that a particular purpose be indicated in order for the certificate to be acceptable to that application."

This can be done by changing this code in pkixcheck.cpp:

    // id-kp-OCSPSigning is the only EKU that isn't implicitly assumed when the
    // EKU extension is missing from an end-entity certificate. However, any CA
    // certificate can issue a delegated OCSP response signing certificate, so
    // we can't require the EKU be explicitly included for CA certificates.
    if (!foundOCSPSigning && requiredEKU == KeyPurposeId::id_kp_OCSPSigning) {
      return Result::ERROR_INADEQUATE_CERT_TYPE;
    }

In particular, that comment isn't correct in the face of this, and the code can be more generic: instead of "allow it to be implicit unless it's OCSP signing", the code can be "allow it to be implicit only if the caller wants to allow implicit EKU", as long as pkixpocsp.cpp is changed to pass in the new "explicit EKU required" flag.

This way, all the EKU checking logic would stay in one place and you'd avoid adding yet another dependency on the NSS certificate parsing code.
Closing, following discussion with Keeler. We'll likely be introducing something similar to Brian's suggestion in comment 2 for other reasons (in the not too distant future) but there's little benefit in doing this for this case.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WONTFIX
Comment on attachment 8742527 [details]
MozReview Request: Bug 1265499 - Ensure the content signature verifier checks that the EKU extension is present. r?keeler

https://reviewboard.mozilla.org/r/47257/#review44519
Attachment #8742527 - Flags: review?(dkeeler)
You need to log in before you can comment on or make changes to this bug.