libpkix name constraints check treats CN as DNS name when it should not

RESOLVED FIXED in 3.43

Status

Product:
NSS
Component:
Libraries
Type:
defect
Status:
RESOLVED FIXED
Reported:
3 months ago
Modified:
3 months ago

People

(Reporter: ftweedal, Unassigned)

Tracking

Version:
3.36
Target:
3.43

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment, 1 obsolete attachment)

nss-ftweedal-0000-Bug-1523484-do-not-treat-CN-as-DNS-name-for-non-serv.patch
7.93 KB, patch
ueno
: review+
Details | Diff | Splinter Review
(Reporter)

Description

3 months ago

User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0

Steps to reproduce:

  1. Have a CA with DNS name constraints permitted subtree.

  2. Verify a certificate with an Extended Key Usage not containing id-kp-serverAuth (e.g. an OCSP signing certificate), whose Subject DN CN attribute does not resemble a DNS name within the permitted subtree.

  3. Verify the certificate (using libpkix):

    NSS_ENABLE_PKIX_VERIFY=1 certutil -d $NSSDB -f $PWDFILE -V -e -n $NICKNAME -u O

Actual results:

Verification fails:

# NSS_ENABLE_PKIX_VERIFY=1 certutil -d $NSSDB -f $PWDFILE -V -e -n $NICKNAME -u O
certutil: certificate is invalid: The Certifying Authority for this certificate is not permitted to issue a certificate with this name.

Expected results:

Verification should succeed. The CN should not be treated as a DNS name unless the certificate being validated is a server authentication certificate (i.e. id-kp-serverAuth is asserted in the Extended Key Usage extension). For compatibility, it may be acceptable to continue treating CN as a DNS name if the certificate does not have the EKU extension.

I will follow up with a patch soon.

Comment 2

3 months ago

Maybe an RH NSS developer could review this?
Also, fixes should go together with a test.

Updated

3 months ago
Attachment #9039696 - Flags: review?(kaie)
 (Reporter)

Comment 3

3 months ago 
Comment on attachment 9039696 [details] [diff] [review]
nss-ftweedal-0000-Bug-1523484-do-not-treat-CN-as-DNS-name-for-non-serv.patch

Daiki, maybe you could review this (or pass along to one of the other devs
at Red Hat?)
Attachment #9039696 - Flags: review?(dueno)

Comment 4

3 months ago 
Comment on attachment 9039696 [details] [diff] [review]
nss-ftweedal-0000-Bug-1523484-do-not-treat-CN-as-DNS-name-for-non-serv.patch

Review of attachment 9039696 [details] [diff] [review]:
-----------------------------------------------------------------

The change looks reasonable at first glance, but it needs a test as Kai already pointed out.  Bug 757854 might give you some inspiration.
 (Reporter)

Comment 5

3 months ago

Thanks Daiki, I'll add a test and provide an updated patch next week (or reach out if I cannot work out what to do). Have a great weekend!

 (Reporter)

Comment 6

3 months ago

Now with test.

Attachment #9039696 - Attachment is obsolete: true
Attachment #9039696 - Flags: review?(dueno)
Attachment #9041097 - Flags: review?(dueno)

Comment 7

3 months ago 
Comment on attachment 9041097 [details] [diff] [review]
nss-ftweedal-0000-Bug-1523484-do-not-treat-CN-as-DNS-name-for-non-serv.patch

Review of attachment 9041097 [details] [diff] [review]:
-----------------------------------------------------------------

Thank you for the update, it looks good to me.  Try run is ongoing:
https://treeherder.mozilla.org/#/jobs?repo=nss-try&revision=776c6973b3a389b58a5278391b6e41e95441d2ed
Attachment #9041097 - Flags: review?(dueno) → review+

Comment 8

3 months ago

https://hg.mozilla.org/projects/nss/rev/db68b6975216

Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 months ago
Resolution: --- → FIXED
Target Milestone: --- → 3.43
You need to log in before you can comment on or make changes to this bug.