1488875 - Issue with whitelisting of DigiCert Root CAs that are cross-signed by Symantec

Status: RESOLVED INVALID

(Core :: Security, defect)

Description

[aaronmaxlevy]

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/604.5.6 (KHTML, like Gecko) Version/11.0.3 Safari/604.5.6

Steps to reproduce:

Changeset https://hg.mozilla.org/mozilla-central/annotate/df46a62ed521/security/certverifier/TrustOverride-AppleGoogleDigiCertData.inc#l303 was supposed to add the 4 DigiCert CAs that were specified by Google as part of the Chromium version of the Symantec distrust plan.


Actual results:

Instead, was got added was the normal versions of each of those Root CAs, instead of the versions of those Root CAs that were cross-signed by a Symantec Root for compatibility purposes.


Expected results:

If you look at Chromium source code ( e.g. https://chromium.googlesource.com/chromium/src/+/c022914eb2e7eb78c5252723c31df770b05c023e/net/data/ssl/symantec/excluded/8bb593a93be1d0e8a822bb887c547890c3e706aad2dab76254f97fb36b82fc26.pem ) You will see that they are whitelisting the version of certain Digicert Root CAs that is cross-signed by a Symantec CA for compatibility purposes. Unless I am misunderstanding something, Firefox should be doing the same, but instead seems to have whitelisted the normal versions of the Digicert Root CAs, which from my understanding would not actually have any impact, since those Root CAs aren't signed/issued by Symantec in the first place.

Comment 1

[aaronmaxlevy]

FYI J.C. Jones [:jcj] (he/him) since you were the original author of the commit in question.

Comment 2

[J.C. Jones [:jcj] (he/they)]

Thanks for bringing this up aaronmaxlevy.

Chrome has chosen to implement their whitelist referring to specific certificates in their code -- obviously there they must be sure they have the exact cross-signed certificate. 

Firefox's implementation whitelists based on SPKI, which is the same for both the cross-signed and non-cross-signed versions of the certificates. We do reference the originals in comments which is a little misleading, and I apologize for that. Nevertheless, since SPKIs reference the public key of the CA rather than the certificate-in-use, I believe the implementation works as-is even for the cross-signed case.

I did a few searches for sites that have cross-signatures and they seemed to work fine, but please reopen if you have indication that there's further issues!

Thanks!

Comment 3

[aaronmaxlevy]

(In reply to J.C. Jones [:jcj] (he/him) from comment #2)
> Thanks for bringing this up aaronmaxlevy.
> 
> Chrome has chosen to implement their whitelist referring to specific
> certificates in their code -- obviously there they must be sure they have
> the exact cross-signed certificate. 
> 
> Firefox's implementation whitelists based on SPKI, which is the same for
> both the cross-signed and non-cross-signed versions of the certificates. We
> do reference the originals in comments which is a little misleading, and I
> apologize for that. Nevertheless, since SPKIs reference the public key of
> the CA rather than the certificate-in-use, I believe the implementation
> works as-is even for the cross-signed case.
> 
> I did a few searches for sites that have cross-signatures and they seemed to
> work fine, but please reopen if you have indication that there's further
> issues!
> 
> Thanks!

Thanks! Yeah looking at this code it was a bit confusing. Would it maybe make sense to include the cross-signed versions in the source code instead to make this more clear (or perhaps a comment?) ? Otherwise when looking at that code it also isn't immediately clear why a non-Symantec Root CA is on that list.

I will do some additional testing on my end also to confirm though and let you know if there are any issues.

Thanks for the help / clarity!
-Aaron