Closed
Bug 969938
Opened 10 years ago
Closed 10 years ago
test_ev_certs/generate.py and test_getchains/generate.py generate CA certificates with id-kp-OCSPSigning EKU
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla30
People
(Reporter: briansmith, Assigned: briansmith)
References
Details
Attachments
(1 file, 2 obsolete files)
40.36 KB,
patch
|
cviecco
:
review+
|
Details | Diff | Splinter Review |
+++ This bug was initially created as a clone of Bug #969931 +++ > CA_eku = ("extendedKeyUsage = critical, serverAuth, clientAuth, " + > "1.3.6.1.5.5.7.3.9\n") 1.3.6.1.5.5.7.3.9 is id-kp-OCSPSigning. The new EKU checking code in insaniyy::pkix enforces the constraint that an id-kp-OCSPSigning certificate cannot be a CA certificate. The whole point of a delegated OCSP response signing certificate is to prohibit the OCSP response signer from issuing certificates.
Assignee | ||
Updated•10 years ago
|
Blocks: mozilla::pkix
Assignee | ||
Updated•10 years ago
|
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla30
Assignee | ||
Comment 1•10 years ago
|
||
This fixes the generation logic in generate.py. The patch is untested because of bug 969931. The test certificates need to be regenerated. Again, I did not do this yet because of bug 969931.
Attachment #8372926 -
Flags: review?(cviecco)
Assignee | ||
Updated•10 years ago
|
Assignee: brian → cviecco
Blocks: 938046
Summary: test_ev_certs/generate.py generates CA certificates with id-kp-OCSPSigning EKU → test_ev_certs/generate.py and test_getchains/generate.py generate CA certificates with id-kp-OCSPSigning EKU
Assignee | ||
Updated•10 years ago
|
Assignee: cviecco → brian
Assignee | ||
Comment 2•10 years ago
|
||
Instead of reviewing the certificates themselves, just review the steps I used to regenerate them (See bug 969992 comment 1): sudo apt-get install python-pexpect export OBJDIR=<path to objdir> cd security/manager/ssl/tests/unit/test_ev_certs PATH=$OBJDIR/dist/bin:$PATH LD_LIBRARY_PATH=$OBJDIR/dist/bin ./generate.py cd ../test_getchains PATH=$OBJDIR/dist/bin:$PATH LD_LIBRARY_PATH=$OBJDIR/dist/bin ./generate.py hg qnew update-certs.patch
Attachment #8372948 -
Flags: review?(cviecco)
Assignee | ||
Comment 3•10 years ago
|
||
Part 1 had a spurious change to pkixcheck.cpp in it that didn't below. While fixing that, I took the opportunity to combine both patches together. See previous comment about reviewing the binary file changes.
Attachment #8372926 -
Attachment is obsolete: true
Attachment #8372948 -
Attachment is obsolete: true
Attachment #8372926 -
Flags: review?(cviecco)
Attachment #8372948 -
Flags: review?(cviecco)
Attachment #8372949 -
Flags: review?(cviecco)
Comment 4•10 years ago
|
||
Comment on attachment 8372949 [details] [diff] [review] Fix Review of attachment 8372949 [details] [diff] [review]: ----------------------------------------------------------------- Brian, can you point me to the place where it says a CA cert cannot have OCSP signing EKU enforced? and if that is true, the final goal was not to require EKU of signers be a superset of what it signes? (the patch if we agree on where that happend will be r+)
Assignee | ||
Comment 5•10 years ago
|
||
(In reply to Camilo Viecco (:cviecco) from comment #4) > Brian, can you point me to the place where it says a CA cert cannot have > OCSP signing EKU enforced? > and if that is true, the final goal was not to require EKU of signers be a > superset of what it signes? > > (the patch if we agree on where that happend will be r+) That isn't explicitly called out in the spec. But, it is absolutely unsafe for a CA certificate to assert the id-kp-OCSPSigning EKU, because if it did have that EKU, then it could sign OCSP responses for itself, that would be considered valid.
Assignee | ||
Comment 6•10 years ago
|
||
Also, like I mentioned in another bug, it would be better if we didn't add any EKU at all to the CA certificates for these tests, because we're not testing EKU processing in these tests. Instead we should avoid adding extra info to the certs, so it is easier to understand what the test is testing.
Comment 7•10 years ago
|
||
(In reply to Brian Smith (:briansmith, was :bsmith; NEEDINFO? for response) from comment #6) > Also, like I mentioned in another bug, it would be better if we didn't add > any EKU at all to the CA certificates for these tests, because we're not > testing EKU processing in these tests. Instead we should avoid adding extra > info to the certs, so it is easier to understand what the test is testing. Is not better to argue to opposite? we should include all the recomendations/current uses of CA so that we test as close as possible to what is deployed? This sounds like an argument to do on irc. For bugzilla (EV) the intermediate has: KU: signer, cert signer and crl signer; EKU: SSL Server, SSL Client, Code signing, Email protection and Timestamping; Subject Key ID, Certificate Auth Key Id. Google intermediate: Key Usage: cert signer, crl signer; (NO EKU); Subject Key ID, Certificate Auth Key Id. Also you said: But, it is absolutely unsafe for a CA certificate to assert the id-kp-OCSPSigning EKU, because if it did have that EKU, then it could sign OCSP responses for itself, that would be considered valid. That seems like a bug in processing the OCSP response what does libpkix and classic do?
Updated•10 years ago
|
Attachment #8372949 -
Flags: review?(cviecco) → review+
Assignee | ||
Comment 8•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/a2a1caee392b
Comment 9•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/a2a1caee392b
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Assignee | ||
Comment 10•10 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/71f5f0c724e7
status-firefox29:
--- → fixed
Updated•10 years ago
|
status-firefox30:
--- → fixed
You need to log in
before you can comment on or make changes to this bug.
Description
•