libpkix OCSP failures on SHA1 self-signed root certs when SHA1 signatures are disabled.
Categories
(NSS :: Libraries, defect, P1)
Tracking
(Not tracked)
People
(Reporter: rrelyea, Assigned: rrelyea)
References
(Depends on 1 open bug)
Details
Attachments
(1 file)
When libpkix is checking an OCSP cert, it can't use the passed in set of trust anchors as a base because only the single root that signed the leaf can sign the OCSP request. As a result it actually checks the signature of the self-signed root when processing an OCSP request. This fails of the root cert signature is invalid for any reason (including it's a sha1 self-signed root cert and we've disabled sha1 signatures (say, by policy)).
If the cert is self-signed, we don't really need to check the signature. You can't really attack a root cert by changing it because the full certificate generated the trust. None of our other verifiers check the signature on self-signed roots, so the fix is to skip the signature check if the certificate is self-signed.
The real fix is to actually hook up mozpkix and drop libpkix, but that seems to be stalled.
|
||
Comment 1•3 years ago
|
||
Bob, since I see you've a patch on try, assigning this one to you. Thanks!
|
Assignee | |
Comment 2•3 years ago
|
||
Sorry, yes, I should have taken the bug when I created it.
Current status: We can't just ignore signatures when we verify selfsigned certificates because we depend on that feature in our tests (to make sure we reject poorly constructed PSS signatures. If the self-signed cert is the leaf cert, we always check the signatures. This check happens in all our cert validation code (both pkix and classic).
Further investigation indicates the difference between our classic code and the current code is the classic code only checks OCSP responses on leaf certs. In the real world, those responses are signed by intermediate certificates (who won't have sha1 signed certificates anymore), so our signature processing works just fine. pkix checks OCSP on the intermediate certificates as well, which are signed by the root cert. In this case the root cert is a chain of 1, and is effectively a leaf. My current thoughts are to patch the OCSP response code to not check the signatures on the single cert if that cert is a selfsigned root cert. This requires bug 391476 (I want the code to check all the trust bits, just not the signature).
|
|
Assignee | |
Comment 3•3 years ago
|
||
When libpkix is checking an OCSP cert, it can't use the passed in set of trust anchors as a base because only the single root that signed the leaf can sign the OCSP request. As a result it actually checks the signature of the self-signed root when processing an OCSP request. This fails of the root cert signature is invalid for any reason (including it's a sha1 self-signed root cert and we've disabled sha1 signatures (say, by policy)).
Further investigation indicates the difference between our classic code and the current code is the classic code only checks OCSP responses on leaf certs. In the real world, those responses are signed by intermediate certificates (who won't have sha1 signed certificates anymore), so our signature processing works just fine. pkix checks OCSP on the intermediate certificates as well, which are signed by the root cert. In this case the root cert is a chain of 1, and is effectively a leaf. This patch updates the OCSP response code to not check the signatures on the single cert if that cert is a selfsigned root cert. This requires bug 391476 so we still do the other validation checking on the certs (making sure it's trusted as a CA).
|
|
||
Comment 4•3 years ago
|
||
Description
•