Closed Bug 1523484 Opened 6 years ago Closed 6 years ago

libpkix name constraints check treats CN as DNS name when it should not

Categories

(NSS :: Libraries, defect)

3.36
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: ftweedal, Unassigned)

Details

Attachments

(1 file, 1 obsolete file)

User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0

Steps to reproduce:

  1. Have a CA with DNS name constraints permitted subtree.

  2. Verify a certificate with an Extended Key Usage not containing id-kp-serverAuth (e.g. an OCSP signing certificate), whose Subject DN CN attribute does not resemble a DNS name within the permitted subtree.

  3. Verify the certificate (using libpkix):

    NSS_ENABLE_PKIX_VERIFY=1 certutil -d $NSSDB -f $PWDFILE -V -e -n $NICKNAME -u O

Actual results:

Verification fails:

# NSS_ENABLE_PKIX_VERIFY=1 certutil -d $NSSDB -f $PWDFILE -V -e -n $NICKNAME -u O
certutil: certificate is invalid: The Certifying Authority for this certificate is not permitted to issue a certificate with this name.

Expected results:

Verification should succeed. The CN should not be treated as a DNS name unless the certificate being validated is a server authentication certificate (i.e. id-kp-serverAuth is asserted in the Extended Key Usage extension). For compatibility, it may be acceptable to continue treating CN as a DNS name if the certificate does not have the EKU extension.

I will follow up with a patch soon.

Maybe an RH NSS developer could review this?
Also, fixes should go together with a test.

Attachment #9039696 - Flags: review?(kaie)
Comment on attachment 9039696 [details] [diff] [review] nss-ftweedal-0000-Bug-1523484-do-not-treat-CN-as-DNS-name-for-non-serv.patch Daiki, maybe you could review this (or pass along to one of the other devs at Red Hat?)
Attachment #9039696 - Flags: review?(dueno)
Comment on attachment 9039696 [details] [diff] [review] nss-ftweedal-0000-Bug-1523484-do-not-treat-CN-as-DNS-name-for-non-serv.patch Review of attachment 9039696 [details] [diff] [review]: ----------------------------------------------------------------- The change looks reasonable at first glance, but it needs a test as Kai already pointed out. Bug 757854 might give you some inspiration.

Thanks Daiki, I'll add a test and provide an updated patch next week (or reach out if I cannot work out what to do). Have a great weekend!

Now with test.

Attachment #9039696 - Attachment is obsolete: true
Attachment #9039696 - Flags: review?(dueno)
Attachment #9041097 - Flags: review?(dueno)
Comment on attachment 9041097 [details] [diff] [review] nss-ftweedal-0000-Bug-1523484-do-not-treat-CN-as-DNS-name-for-non-serv.patch Review of attachment 9041097 [details] [diff] [review]: ----------------------------------------------------------------- Thank you for the update, it looks good to me. Try run is ongoing: https://treeherder.mozilla.org/#/jobs?repo=nss-try&revision=776c6973b3a389b58a5278391b6e41e95441d2ed
Attachment #9041097 - Flags: review?(dueno) → review+
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.43
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: