The default bug view has changed. See this FAQ.

certutil doesn't verify signature on cert request before issuing cert

RESOLVED FIXED in 3.7

Status

NSS
Tools
P1
normal
RESOLVED FIXED
15 years ago
15 years ago

People

(Reporter: Nelson Bolyard (seldom reads bugmail), Assigned: Nelson Bolyard (seldom reads bugmail))

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

A certificate request is a signed document.  The signature proves that
the requestor holds the private key that corresponds to the public key
in the cert request.  Any CA program, including certutil, should verify
that signature before honoring it.  

It appears to me that certutil decodes the signed data, but doesn't actually
verify it.  So, any requester can get a cert issued.  
This is very bad if someone is going to use certutil to try to be a real CA.

I think the solution is to do something very similar to CERT_VerifySignedData
except that the public key is taken from the request, not from a certificate.
(Assignee)

Comment 1

15 years ago
Created attachment 103261 [details] [diff] [review]
new func to check signature on cert request, call from certutil

I created a new function 
SECStatus
CERT_VerifySignedDataWithPubKeyInfo(CERTSignedData *sd,
				    CERTSubjectPublicKeyInfo *pubKeyInfo,
				   void *wincx)

that checks the signature on a certrequest (or any signedData) using 
the public key info taken from a PublicKeyInfo, such as the one found in
the a cert request.  This new function will be exported from NSS.

I added a call to this function in certutil's function that imports
and parses a cert request.  

Please review.
(Assignee)

Comment 2

15 years ago
Bob, please review the patch in this bug.  Thanks.
(Assignee)

Comment 3

15 years ago
Taking bug, since I have a patch for it already.
Assignee: wtc → nelsonb
(Assignee)

Updated

15 years ago
Priority: -- → P1
Target Milestone: --- → 3.7
(Assignee)

Comment 4

15 years ago
Marking assigned.  Since I already have a patch for it.
Status: NEW → ASSIGNED
(Assignee)

Comment 5

15 years ago
Patch checked in.  Marking fixed.  
Status: ASSIGNED → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → FIXED

Comment 6

15 years ago
Comment on attachment 103261 [details] [diff] [review]
new func to check signature on cert request, call from certutil

The patch looks fine, thought I would have preferred the interface to take the
public key and let the application do the SECKEY_ExtractPublicKey().

bob
Attachment #103261 - Flags: review+
(Assignee)

Comment 7

15 years ago
Created attachment 103915 [details] [diff] [review]
Add function CERT_VerifySignedDataWithPublicKey

In light of Bob's comment above, I wrote a new function
CERT_VerifySignedDataWithPublicKey, and changed the existing functions
CERT_VerifySignedDataWithPubKeyInfo and CERT_VerifySignedData to use
this new function, since it contained logic previously common to both.

Bob, please review this patch.
(Assignee)

Updated

11 years ago
Blocks: 343231
You need to log in before you can comment on or make changes to this bug.