On 07/10/2015 09:32 AM, Matt Caswell wrote: > > On 10/07/15 13:09, R C Delgado wrote: >> Hello, >> >> With regards to CVE-2015-1793, I've seen the example in verify_extra_test.c. >> How deep does the certificate chain have to be? >> If I have 2 self-signed CA certificates, and a non-CA certificate is >> received for verification, will this hit the problem? >> >> Also, is it a condition of the bug that both CA certificates have to >> have the same subject names and keys, as suggested in the file? > > The conditions for triggering the bug are a little complicated, but I'll > do my best to explain it. > <snip> > So these certs would need to be present (at a minimum): > > Chain 1: > > Trusted Cert 1 > | > Untrusted Cert 1 > | > Leaf > | > Bad > > Chain 2: > > Trusted Cert 2 > | > Leaf > | > Bad > > There are other possible longer chains, but this is the minimum set. For > 1.0.2, Chain 1 would have to be non-trusted, even though we have added a > trusted cert. This can occur if Trusted Cert 1 is not self signed and > its issuer is not in the trusted store. For 1.0.1 any chain will do. > Untrusted Cert 1 and Trusted Cert 2 would both have to be valid issuers > of Leaf (i.e. they have the same subject names and public keys). Chain 2 > must be trusted (so Trusted Cert 2 has to be a self-signed root). > Thanks, Matt. This is the most cogent explanation I've seen to date. Cheers -- Lewis ------------------------------------------------------------- Lewis G Rosenthal, CNA, CLP, CLE, CWTS, EA Rosenthal & Rosenthal, LLC www.2rosenthals.com visit my IT blog www.2rosenthals.net/wordpress IRS Circular 230 Disclosure applies see www.2rosenthals.com -------------------------------------------------------------
