Certificate Acceptance Despite Corrupted Key Usage Extension
Categories
(NSS :: Libraries, defect)
Tracking
(firefox-esr115 wontfix, firefox126 wontfix, firefox127 wontfix, firefox128 fixed)
People
(Reporter: 2295456556, Assigned: keeler)
Details
(Keywords: reporter-external, sec-low, Whiteboard: [post-critsmash-triage][adv-main128-])
Attachments
(9 files)
|
3.71 KB,
application/x-x509-ca-cert
|
Details | |
|
2.65 KB,
application/x-x509-ca-cert
|
Details | |
|
1.86 KB,
application/x-x509-ca-cert
|
Details | |
|
1.31 KB,
application/x-x509-ca-cert
|
Details | |
|
56.57 KB,
image/png
|
Details | |
|
51.55 KB,
image/png
|
Details | |
|
1.69 KB,
application/octet-stream
|
Details | |
|
3.25 KB,
application/octet-stream
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review |
hosts.png
Steps to reproduce:
1.Generating a mutated digital certificate with an additional Subject Alternative Name (SAN) of "ypj.test.com", along with its corresponding root CA and private key.
2.Configuring an Nginx web server to use the mutated certificate and private key in HTTPS mode.
3.Setting up the local machine (127.0.0.1) as the server and mapping "ypj.test.com" to 127.0.0.1 in the hosts file.
4.Adding the root CA to the system's trusted root certificate store using certutil.
5.Running nginx.exe. Accessing the URL "https://ypj.test.com:443" in a web browser, where the certificate's SAN matches the URL.
Firefox-version-113.0
Actual results:
I encountered an issue involving the handling of certificates with corrupted key usage extensions in Firefox, which appears to violate RFC 5280 standards.
I purposely modified a certificate's key usage extension, changing its original values to a meaningless TLV (Tag-Length-Value) sequence. According to RFC 5280, when the key usage extension appears in a certificate, at least one of the bits MUST be set to 1 (RFC 5280, Section 4.2.1.3). This means that once a certificate includes the key usage extension, the extension must specify at least one key usage purpose. The corrupted key usage in the modified certificate fails to specify any valid key usage.
Chrome Response: Correctly rejects the certificate and displays an error message (NET::ERR_CERT_INVALID).
Firefox Response: Accepts the certificate without any rejection or warning.
Expected results:
For such certificates that violate RFC 5280 and have an indeterminate key usage, Firefox should:
Attempt to return a "Bad DER" error.
Issue a warning.
Reject the certificate to prevent potential security risks.
|
Reporter | |
Comment 1•1 year ago
|
||
|
|
Reporter | |
Comment 2•1 year ago
|
||
|
|
Reporter | |
Comment 3•1 year ago
|
||
|
|
Reporter | |
Comment 4•1 year ago
|
||
|
|
Reporter | |
Comment 5•1 year ago
|
||
|
|
Reporter | |
Comment 6•1 year ago
|
||
|
|
Reporter | |
Comment 7•1 year ago
|
||
|
|
Reporter | |
Comment 8•1 year ago
|
||
Additional Note: I accidentally uploaded the wrong file, rsa_pri_2048.pem. The private key for the End-entity certificate in the certificate chain should be rsa_pri_4096.pem.
|
Assignee | |
Updated•1 year ago
|
|
|
Assignee | |
Comment 9•1 year ago
|
||
|
|
Assignee | |
Comment 10•1 year ago
|
||
I'm fairly confident that there are no security implications here, but I'm rating this sec-low just to be safe. This could be an issue if e.g. we were using hash algorithms where attacker-controlled input could manipulate the internal state to cause a collision and forge a signature, but (at the moment) we're not, so I think we're good here.
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
|
||
Updated•5 months ago
|
Description
•