Correct check_chain() on X509_V_FLAG_X509_STRICT (-x509_strict option)#13832
Correct check_chain() on X509_V_FLAG_X509_STRICT (-x509_strict option)#13832DDvO wants to merge 3 commits intoopenssl:masterfrom
Conversation
DDvO
changed the title
-x509_strict)
t8m
left a comment
t8m
left a comment
There was a problem hiding this comment.
LGTM, although maybe adding something to Changes.md would be a good idea.
DDvO
force-pushed
the
correct_strict_check_chain
branch
from
817b820 to
d096527
Compare
Done, and also extended |
DDvO
changed the title
|
@t8m, your comments have been addressed; |
kaduk
left a comment
kaduk
left a comment
There was a problem hiding this comment.
Some "drive by" comments; I didn't get to really review in depth.
vdukhovni
left a comment
vdukhovni
left a comment
There was a problem hiding this comment.
Overall, the code reorg and some of the changes look like progress, but I think we still need to sort out a few details.
crypto/x509/x509_vfy.c
Outdated
There was a problem hiding this comment.
This check was previously only applied to non-EE certificates, i.e. those actually used in chain-integrity signature verification. If the application (not SSL, where this is not allowed) wants to allow use of explicit EC parameters, this is not the place to override that policy.
The only quibble is perhaps whether the check should be applied if we're checking "SS" signatures (even of EE certs)
There was a problem hiding this comment.
Actually, the check was previously done for all certs in the chain if the chain had more than one element.
Note that this PR stops checking directly trusted EE certs already before reaching this point and on the other hand removes the num > 1 guard that preceded these checks because I believe this guard has become pretty redundant.
If you want to have that it only applies to non-EE certificates, (which has not really the case before this PR), this check needs to be guarded differently.
DDvO
force-pushed
the
correct_strict_check_chain
branch
from
d096527 to
a5c6227
Compare
I fully agree - yet another form of unreadable code 😉 How about adding |
I don't have strong view on which header, the prefix should indicate that that these are CA validity code points, so something like (your call): But if you think of something better, go with that. Since these are internal code points, in some suitable non-public header. |
DDvO
force-pushed
the
correct_strict_check_chain
branch
2 times, most recently
from
e2de593 to
3f8bd34
Compare
|
It turns out that those wonderful(ly) magic numbers returned by |
|
I've just tentatively added a further check to but maybe this is redundant because it is guaranteed not to happen when reaching it? |
DDvO
force-pushed
the
correct_strict_check_chain
branch
from
7534c25 to
7a973a4
Compare
|
Rebased to solve merge conflicts. |
CHANGES.md
Outdated
There was a problem hiding this comment.
I don't recall seeing a rationale for allowing v1 certs in strict mode. Did I miss somewhere amidst all the comments? Also, I don't actually see a matching change in the code. Is this still a thing???
There was a problem hiding this comment.
Oh, I just found that I had neglected not only this PR in general
but also your (@vdukhovni 's) latest comments there for long - sorry for that!
Well, to me the rationale is simply that v1 certs are not forbidden by RFC 5280, which is aged but still in charge.
The only thing I found there in this direction is in https://datatracker.ietf.org/doc/html/rfc5280#section-6.1.4:
Conforming implementations may choose to reject all version 1 and version 2 intermediate certificates.)
As far as I understand, our strict mode enforces strict requirements on X.509 certs (mostly from RFC 5280),
part of which OpenSSL so far has not really checked (for whatever reasons).
In other words, strict mode should not be more strict than RFC 5280.
crypto/x509/x509_vfy.c
Outdated
There was a problem hiding this comment.
It seems to me that the original code here (added recently in 1.1.1, after I last took a deep dive into the X.509 verification code) may not have been doing what was intended. The test num > 1 [addition by DvO for clarity: which has been removed here] tests the chain to see whether it has any CAs, and if so restricts every certificate in the chain (including the leaf) to not use explicit curve parameters.
Is this really the correct criterion? If we're also testing the leaf cert when num > 1, why not test it when num == 1? Alternatively, if the idea is to make sure none of the CA certs have been "tweaked", shouldn't the test be i > 0 rather than num > 1 and test everything but the leaf cert?
Finally, OpenSSL does not IIRC share the Windows Curveball bug, so it is not entirely clear why this has been added to OpenSSL.
The reason I mention all this, is that the new code is subtly different. It no longer applies the num > 1 constraint, but it is only enforced after self-issued EE certificates are exempted from further checks. This means that with partial_chain and a non-self-issued, but trusted EE certificate will now also be restricted when it is the only one in the chain.
So there are many subtle edge conditions here, and I don't have a clear sense that anyone knows what the expected semantics are. So I'd like to see that resolved.
There was a problem hiding this comment.
Good point that the intention which certs should actually be checked here under which circumstances is somewhat unclear.
AFAIR, I thought that the guard num > 1 makes not much sense and thus simply removed it.
Yet to be on the conservative side, I just re-added it and added a TODO comment about it such that this PR is relieved from solving this pre-existing issue.
There was a problem hiding this comment.
| Non-CA certificate required but has CA markings. | |
| A CA certificate was encountered in a context where only a non-CA certificates are expected. |
There was a problem hiding this comment.
Changed to: CA certificate was encountered where only a non-CA certificate is expected.
|
This PR is in a state where it requires action by @openssl/otc but the last update was 30 days ago |
|
This PR is in a state where it requires action by @openssl/otc but the last update was 61 days ago |
|
This PR is in a state where it requires action by @openssl/otc but the last update was 92 days ago |
DDvO
force-pushed
the
correct_strict_check_chain
branch
from
7a973a4 to
9855b47
Compare
github-actions
bot
added
the
severity: fips change
Extend checking single root CA certs also to strict mode. Unknown critical extensions in certs used only as trust anchors are now rejected only in strict mode because they are explicitly exempted from RFC requirements. The expectations on whether a cert is (likely) a CA or not are no more checked for directly trusted EE certs because such certs have been explicitly exempted from RFC requirements.
DDvO
force-pushed
the
correct_strict_check_chain
branch
from
0f7c889 to
359968d
Compare
|
This PR is in a state where it requires action by @openssl/otc but the last update was 30 days ago |
|
This PR is in a state where it requires action by @openssl/otc but the last update was 61 days ago |
|
This PR is in a state where it requires action by @openssl/otc but the last update was 92 days ago |
|
This PR is in a state where it requires action by @openssl/otc but the last update was 123 days ago |
|
This PR is in a state where it requires action by @openssl/otc but the last update was 154 days ago |
|
This PR is in a state where it requires action by @openssl/otc but the last update was 185 days ago |
|
This PR is in a state where it requires action by @openssl/otc but the last update was 216 days ago |
|
This PR is in a state where it requires action by @openssl/otc but the last update was 247 days ago |
|
This PR is in a state where it requires action by @openssl/otc but the last update was 278 days ago |
|
This PR is in a state where it requires action by @openssl/otc but the last update was 309 days ago |
|
This PR is in a state where it requires action by @openssl/otc but the last update was 340 days ago |
|
This PR is in a state where it requires action by @openssl/otc but the last update was 371 days ago |
|
This PR is in a state where it requires action by @openssl/otc but the last update was 402 days ago |
|
This PR is in a state where it requires action by @openssl/otc but the last update was 433 days ago |
|
This PR is in a state where it requires action by @openssl/otc but the last update was 464 days ago |
|
This PR is in a state where it requires action by @openssl/otc but the last update was 495 days ago |
|
We should revive this as it seems to make sense. Unfortunately it needs a rebase. |
t8m
added
triaged: feature
After languishing for two years without any action, that is not surprising. |
|
Could you please rebase the PR to resolve conflicts? |
|
@vdukhovni, @t8m, unfortunately, I won't have the time to continue working on this. |
|
Closing for the time being. |
6 participants
This has been extracted from #13658 as requested by #13658 (comment).
Once that PR is merged the three new tests marked there as TODO can be re-enabled.
x509_vfy.c: strictcheck_chain()should check also single root CA certsx509_vfy.c: rejecting unknown extensions in certs used solely as trust anchors is now done only in strict mode because such certs have been explicitly exempted from RFC requirements.x509_vfy.c:check_chain()must allow V1 self-signed cert also in strict modethe expectations on whether a cert is (likely) a CA or not are no more checked for directly trusted EE certs because such certs have been explicitly exempted from RFC requirements.
Checklist