Closed Bug 1645349 Opened 5 years ago Closed 5 years ago

NSS does not enforce equality of the signatureAlgorithm and signature fields in X.509 certificates

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Version:
3.53
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1648172

People

(Reporter: mario.korth, Unassigned)

Details

Attachments

(1 file)

mismatchingAlgorithms.zip
19.82 KB, application/zip
Details

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36

Steps to reproduce:

Create a nssdb in which the supplied root certificate is trusted (./certutil -A -d /cert/keydb/nssdb/ -t "TC,," -n rootv3 -i /cert/inputCerts/rootv3.pem) and add an arbitrary certificate which nss can use as the server certificate (./pk12util -d /cert/keydb/nssdb/ -K 123456 -i /cert/inputCerts/rsav3.p12 -W 123456).

For convenience I attached a zip of my nssdb used during testing.

If you got no ready to run NSS installation use the attached dockerfile to build a fitting image with the following command:
docker build -t nss-3.53-server -f Dockerfile-3.53 .

Then start the container with this command:
docker run -it --rm -p 4433:4444 -v $(pwd):/cert nss-3.53-server

Navigate to /src/dist/Debug/bin/
Copy all content of /src/dist/Debug/lib/ to /lib

Start the nss selfserv utility with the following command line to require client certificate authentication:
./selfserv -n "TLS-Scanner CCA Leaf Certificate (ROOTv3_CAv3_LEAF_RSAv3) - RUB" -p 4444 -w 123456 -d /cert/keydb/nssdb/ -r -r

Connect to the server using the supplied certificates, e.g. using OpenSSL s_client:
openssl s_client -connect localhost:4433 -cert ROOTv3_CAv3_LEAF_RSAv3_MismatchingAlgorithms1__leaf_certificate1.pem -key rsakey_2.pem -CAfile ROOTv3_CAv3_LEAF_RSAv3_MismatchingAlgorithms1__ca_certificate1.pem

I'd like to note that I originally discovered the issue in 3.51.1 but confirmed its existence in 3.53

Actual results:

NSS accepted the certificate even though it clearly violates the X.509 specification.

Expected results:

NSS should reject the certificates since the two fields differ.

I failed to mention the violated constraint. The X.509 spec explicitly requires the two fields to be equal. NSS does not enforce this and uses the unsigned field to determine which algorithm the use to verify the certificates signature.

The legacy verifier doesn't conform with ... anything, frankly. selfserv should use moz::pkix. Mozilla::pkix does enforce this constraint. Marking as a duplicate of Bug 1648172.

I do appreciate the testing here, I just apologize that selfserv and the other test tools are so very far out of date compared to Firefox.

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: