gnutls fails to use Verisign CA cert without a Basic Constraint

Simon Josefsson simon at josefsson.org
Mon Feb 2 17:58:05 CET 2009


"Douglas E. Engert" <deengert at anl.gov> writes:

> Simon Josefsson wrote:
>> "Douglas E. Engert" <deengert at anl.gov> writes:
>>
>>> Simon Josefsson wrote:
>>>> If the patch is over 10 lines long we will need a copyright assignment
>>>> before we can apply it though.  If you want to speed up the process, you
>>>> could fill out the form below now.
>>>>
>>> I sent in the form to assign at gnu.org. They are sending a paper copy
>>> which must be signed and mailed back. This may be a problem, as I will
>>> have to get it OK'ed, which might take weeks.
>>>
>>> So here is the short version of a "shorten the cert chain" patch that
>>> is only 10 lines long. Do with it what you want. As this fixes
>>> our problem, I consider it a bug fix.
>>>
>>> But you will need to add a check_if_same_cert routine, which can be
>>> taken from the first half of the check_if_ca routine. The line numbers
>>> may be off, but in the 2.6.3 version, it would be inserted at line 394.
>>>
>>> This will also solve our problem, as V1 cert will not get used at all
>>> ans the intermediate cert is trusted and is V3.
>>
>> Thanks for the patch.  I started looking at this now, and there is a
>> small problem: the code removes certificates from the certificate chain
>> before the CRL code has had a chance to check whether certificates in
>> the chain are revoked.  I think the best is to move the CRL checking
>> code up a bit.
>
> But the certs it removes are ones that you have in your trusted list.

I think it can remove more, consider this:

Root-CA -> Intermediary-CA-1 -> Intermediary-CA-2 -> End-Entity Cert

Let's consider if you put I-CA-2 in your trusted cert list.  Your code
will shorten the cert list into I-CA-2 -> E-E Cert, thereby removing
I-CA-1.  However, it seems like I-CA-1 could be revoked by a CRL.
Before, the code would detect this and reject the chain.

I'm not sure what should happen here though... if you have a CRL that
revokes I-CA-1 but also explicitly trust I-CA-2, should validation
succeed or not?

> Are you saying that you don't check CRLs for the trusted certs? Should
> you?

The code reads:

  for (i = 0; i < clist_size; i++)
    {
      ret = gnutls_x509_crt_check_revocation (certificate_list[i],
					      CRLs, crls_size);
...

Thus, it only checks revocation for the earliest entries of clist_size.
Thus, it seems the CRL check should come early, before GnuTLS trims off
entries from clist_size.

I've moved the CRL check first in the function in the patch I have
installed.

I'm not sure how many are using CRLs though.

> Without the mod, is there a security concern if an attacker sends in a
> short list, in effect duplicating what the mod does?

I don't follow the attack?  If it is a short list, the chain won't
validate because GnuTLS will not be able to find intermediary certs.
GnuTLS will only use the trusted cert list to trim off certs from the
list, and to validate the last cert in the list.  Otherwise, the chain
needs to be complete (and in order) as provided from the server.

/Simon





More information about the Gnutls-devel mailing list