Open
Bug 970196
Opened 10 years ago
Updated 2 years ago
Enforce that isCA bit and certSign/crlSign key usages are consistent in mozilla::pkix
Categories
(Core :: Security: PSM, defect, P3)
Core
Security: PSM
Tracking
()
NEW
People
(Reporter: briansmith, Unassigned)
References
Details
(Whiteboard: [psm-backlog])
These key usages are redundant with the isCA bit, but belt-and-suspenders insanity should check that keyUsage == KU_KEY_CERT_SIGN when MustBeCA is true. insanity needs to enforce that KU_KEY_CERT_SIGN requires isCA bit to be set (except v1 trust anchors).
Reporter | ||
Updated•10 years ago
|
No longer blocks: mozilla::pkix
Reporter | ||
Updated•10 years ago
|
Blocks: mozilla::pkix-beta
Reporter | ||
Updated•10 years ago
|
Priority: -- → P4
Updated•10 years ago
|
Summary: Enforce that isCA bit and certSign/crlSign key usages are consistent in insanity::pkix → Enforce that isCA bit and certSign/crlSign key usages are consistent in mozilla::pkix
Updated•10 years ago
|
Blocks: mozilla::pkix-next
Updated•10 years ago
|
No longer blocks: mozilla::pkix-beta
Reporter | ||
Comment 1•9 years ago
|
||
(In reply to Brian Smith (:briansmith, :bsmith, use NEEDINFO?) from comment #0) > These key usages are redundant with the isCA bit, but belt-and-suspenders <snip> > insanity needs to enforce that KU_KEY_CERT_SIGN requires isCA bit to be set > (except v1 trust anchors). In bug 1057123, we decided to ignore keyCertSign for non-CA certificates, for compatibility reasons, so they are no longer exactly redundant. > insanity should check that keyUsage == KU_KEY_CERT_SIGN when MustBeCA is > true. During path building, we already require that keyCertSign is asserted if there is any keyUsage extension in a CA certificate. However, when we're validating a cert for CA usage directly with BuildCertChain, we don't enforce that the caller passed in keyCertSign as requiredKeyUsageIfPresent. And, we allow CA certificates to omit the keyUsage extension. However, I don't think these are major issues. Probably the WebPKI profile of X.509 should just ignore keyCertSign, and instead make basdicConstraints.cA *the* bit to indicate that a certificate is a CA certificate. However, we'd need to look into how that would interact with CRL-signing-only certificates.
Severity: normal → minor
See Also: → 1057123
Whiteboard: [psm-backlog]
Priority: P4 → P3
Updated•2 years ago
|
Severity: minor → S4
You need to log in
before you can comment on or make changes to this bug.
Description
•