Open Bug 970196 Opened 10 years ago Updated 2 years ago

Enforce that isCA bit and certSign/crlSign key usages are consistent in mozilla::pkix

Categories

(Core :: Security: PSM, defect, P3)

defect

Tracking

()

People

(Reporter: briansmith, Unassigned)

References

Details

(Whiteboard: [psm-backlog])

These key usages are redundant with the isCA bit, but belt-and-suspenders

insanity should check that keyUsage == KU_KEY_CERT_SIGN when MustBeCA is true.

insanity needs to enforce that KU_KEY_CERT_SIGN requires isCA bit to be set (except v1 trust anchors).
Priority: -- → P4
Summary: Enforce that isCA bit and certSign/crlSign key usages are consistent in insanity::pkix → Enforce that isCA bit and certSign/crlSign key usages are consistent in mozilla::pkix
(In reply to Brian Smith (:briansmith, :bsmith, use NEEDINFO?) from comment #0)
> These key usages are redundant with the isCA bit, but belt-and-suspenders

<snip>

> insanity needs to enforce that KU_KEY_CERT_SIGN requires isCA bit to be set
> (except v1 trust anchors).

In bug 1057123, we decided to ignore keyCertSign for non-CA certificates, for compatibility reasons, so they are no longer exactly redundant.

> insanity should check that keyUsage == KU_KEY_CERT_SIGN when MustBeCA is
> true.

During path building, we already require that keyCertSign is asserted if there is any keyUsage extension in a CA certificate. However, when we're validating a cert for CA usage directly with BuildCertChain, we don't enforce that the caller passed in keyCertSign as requiredKeyUsageIfPresent. And, we allow CA certificates to omit the keyUsage extension.

However, I don't think these are major issues. Probably the WebPKI profile of X.509 should just ignore keyCertSign, and instead make basdicConstraints.cA *the* bit to indicate that a certificate is a CA certificate. However, we'd need to look into how that would interact with CRL-signing-only certificates.
Severity: normal → minor
See Also: → 1057123
Severity: minor → S4
You need to log in before you can comment on or make changes to this bug.