gnutls fails to use Verisign CA cert without a Basic Constraint

Douglas E. Engert deengert at anl.gov
Mon Feb 2 18:18:05 CET 2009



Simon Josefsson wrote:
> "Douglas E. Engert" <deengert at anl.gov> writes:
> 
>> Simon Josefsson wrote:
>>> "Douglas E. Engert" <deengert at anl.gov> writes:
>>>
>>>> Simon Josefsson wrote:
>>>>> If the patch is over 10 lines long we will need a copyright assignment
>>>>> before we can apply it though.  If you want to speed up the process, you
>>>>> could fill out the form below now.
>>>>>
>>>> I sent in the form to assign at gnu.org. They are sending a paper copy
>>>> which must be signed and mailed back. This may be a problem, as I will
>>>> have to get it OK'ed, which might take weeks.
>>>>
>>>> So here is the short version of a "shorten the cert chain" patch that
>>>> is only 10 lines long. Do with it what you want. As this fixes
>>>> our problem, I consider it a bug fix.
>>>>
>>>> But you will need to add a check_if_same_cert routine, which can be
>>>> taken from the first half of the check_if_ca routine. The line numbers
>>>> may be off, but in the 2.6.3 version, it would be inserted at line 394.
>>>>
>>>> This will also solve our problem, as V1 cert will not get used at all
>>>> ans the intermediate cert is trusted and is V3.
>>> Thanks for the patch.  I started looking at this now, and there is a
>>> small problem: the code removes certificates from the certificate chain
>>> before the CRL code has had a chance to check whether certificates in
>>> the chain are revoked.  I think the best is to move the CRL checking
>>> code up a bit.
>> But the certs it removes are ones that you have in your trusted list.
> 
> I think it can remove more, consider this:
> 
> Root-CA -> Intermediary-CA-1 -> Intermediary-CA-2 -> End-Entity Cert
> 
> Let's consider if you put I-CA-2 in your trusted cert list.  Your code
> will shorten the cert list into I-CA-2 -> E-E Cert, thereby removing
> I-CA-1.  However, it seems like I-CA-1 could be revoked by a CRL.
> Before, the code would detect this and reject the chain.
> 
> I'm not sure what should happen here though... if you have a CRL that
> revokes I-CA-1 but also explicitly trust I-CA-2, should validation
> succeed or not?

Good question. I am am correct, some other versions of path validation, have
both trusted cert and intermediate cert stores: OpenSSL, NSS, and Windows.
GnuTLS appears to only have one trusted cert store.  In the the vendor's code
one could put I-CA-1 into the trusted cert store, and I-CA-2 in to the
intermediate store. I believe in this case the CRLs for I-CA-2 will be checked,
but not for I-CA-1.

> 
>> Are you saying that you don't check CRLs for the trusted certs? Should
>> you?
> 
> The code reads:
> 
>   for (i = 0; i < clist_size; i++)
>     {
>       ret = gnutls_x509_crt_check_revocation (certificate_list[i],
> 					      CRLs, crls_size);
> ...
> 
> Thus, it only checks revocation for the earliest entries of clist_size.
> Thus, it seems the CRL check should come early, before GnuTLS trims off
> entries from clist_size.
> 
> I've moved the CRL check first in the function in the patch I have
> installed.
> 
> I'm not sure how many are using CRLs though.
> 

Maybe not today, but people should...

>> Without the mod, is there a security concern if an attacker sends in a
>> short list, in effect duplicating what the mod does?
> 

I may not have understood your original concern.

> I don't follow the attack?  If it is a short list, the chain won't
> validate because GnuTLS will not be able to find intermediary certs.
> GnuTLS will only use the trusted cert list to trim off certs from the
> list, and to validate the last cert in the list.  Otherwise, the chain
> needs to be complete (and in order) as provided from the server.

My question may have come from the fact that GnuTLS has only one
cert store, rather then two, and tries to verify the cert chain all the
way to a self signed root cert, rather then saying it's OK to stop
at a trusted cert.

Our concern is to not have to put a Versign V1 self sign cert in the
cert store, but to trust the intermediate cert which they publish
on their web site.

> 
> /Simon
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444





More information about the Gnutls-devel mailing list