Closed Bug 1645357 Opened 5 years ago Closed 5 years ago

NSS allows X.509 certificates with weak keys

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Version:
3.53
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1648172

People

(Reporter: mario.korth, Unassigned)

Details

Attachments

(1 file)

Archive with all files referenced in this report.
18.64 KB, application/zip
Details

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36

Steps to reproduce:

Create a nssdb in which the supplied root certificate is trusted (./certutil -A -d /cert/keydb/nssdb/ -t "TC,," -n rootv3 -i /cert/inputCerts/rootv3.pem) and add an arbitrary certificate which nss can use as the server certificate (./pk12util -d /cert/keydb/nssdb/ -K 123456 -i /cert/inputCerts/rsav3.p12 -W 123456).

For convenience I attached a zip of my nssdb used during testing.

If you got no ready to run NSS installation use the attached dockerfile to build a fitting image with the following command:
docker build -t nss-3.53-server -f Dockerfile-3.53 .

Then start the container with this command:
docker run -it --rm -p 4433:4444 -v $(pwd):/cert nss-3.53-server

Navigate to /src/dist/Debug/bin/
Copy all content of /src/dist/Debug/lib/ to /lib

Start the nss selfserv utility with the following command line to require client certificate authentication:
./selfserv -n "TLS-Scanner CCA Leaf Certificate (ROOTv3_CAv3_LEAF_RSAv3) - RUB" -p 4444 -w 123456 -d /cert/keydb/nssdb/ -r -r

Connect to the server using the supplied certificates, e.g. using OpenSSL s_client:
openssl s_client -connect localhost:4433 -cert outputCerts/ROOTv3_CAv3_LEAF_RSAv3_weakKey__leaf_certificate1.pem -key keys/rsakey_weak512.pem -CAfile outputCerts/ROOTv3_CAv3_LEAF_RSAv3_weakKey__ca_certificate1.pem -cipher "DEFAULT@SECLEVEL=0" -tls1_2

Please note that it is required to reduce the security level of OpenSSL to even use the certificate with the weak key.

Actual results:

NSS considered the certificate valid and accepted the TLS connection.

Expected results:

RSA keys with 512 bit modulus are considered insecure for quite some time. Hence NSS should reject client certificates with keys of that strength.

The server, not the client, is responsible for validating (and rejecting) client certificates.

This seems like it should be WontFix. The client should not be involved in policy decisions around client certs.

NSS is the server in this case so shouldn't it reject the certificate?

Ah, sorry, I misparsed this bug.

selfserv uses the legacy verifier which does not enforce any reasonable minimums on certificates, including client certificates, and it never will. Duplicate of bug 1648172, where we want to change the test utils to use moz::pkix.

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: