FW: X509_verify_cert() rejects all trusted certs with "default" X509_VERIFY_PARAM

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Just realized I sent this directly to Graham instead of to the list.

-----Original Message-----
From: Michael Wojcik
Sent: Friday, 28 May, 2021 09:37
To: 'Graham Leggett' <minfrin@xxxxxxxx>
Subject: RE: X509_verify_cert() rejects all trusted certs with "default" X509_VERIFY_PARAM

> From: openssl-users <openssl-users-bounces@xxxxxxxxxxx> On Behalf Of Graham
> Leggett via openssl-users
> Sent: Friday, 28 May, 2021 06:30
>
> I am lost - I can fully understand what the code is doing, but I can’t see
> why openssl only trusts certs with “anyExtendedKeyUsage”.

Interesting. I wondered if this might be enforcing some RFC 5280 or CA / Browser Forum Baseline Requirements rule.

5280 4.2.1.12 says:

   In general, this
   extension will appear only in end entity certificates.

and

   If the extension is present, then the certificate MUST only be used
   for one of the purposes indicated.

Your certificate has serverAuth and emailProtection, yes? So it cannot be used to sign other certificates, and OpenSSL is correct as far as that goes. 5280 doesn't define an EKU for signing certificates; so perhaps the intent of the OpenSSL code is "if EKU is present, this probably can't be used as a CA cert without violating 5280, but I'll look for this 'any' usage just in case and allow that".

The errata for 5280 and the RFCs which update it do not appear to affect this section.


The CA/BF BR 7.1.2.1, the part of the certificate profile that covers root certificates, says:

   d. extKeyUsage
      This extension MUST NOT be present.

Now, there's no particular reason for OpenSSL to enforce CA/BF BR, and good reason for it not to (the "CA" part refers to commercial CAs, and not all clients are browsers). But it's more evidence that root certificates, at least, should not have extKeyUsage because browsers can correctly reject those.

The CA/BF profile is more complicated regarding what it calls "subordinate" certificates, aka intermediates, so for non-root trust anchors there are cases where you can get away with extKeyUsage. But a good rule is "only put extKeyUsage on entity [leaf] certificates".


So that really leaves us with the question "do we want OpenSSL enforcing the extKeyUsage rules of RFC 5280?". And I'm tempted to say yes. In principle, the basicConstraints CA flag and the keyUsage keyCertSign option should suffice for this, but defense in depth, and in cryptographic protocols consistency is extremely important.

--
Michael Wojcik
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux