New issue
Advanced search Search tips

Issue 407093 link

Starred by 2 users

Issue metadata

Status: WontFix
Owner: ----
Closed: Aug 2014
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug



Sign in to add a comment

Incorrect Name Constraint Validation

Reported by calvinjl...@gmail.com, Aug 25 2014

Issue description

Chrome Version       : 
Google Chrome    36.0.1985.143 (Official Build 287914)
OS    Mac OS X
Blink    537.36 (@179211)
JavaScript    V8 3.26.31.15
Flash    14.0.0.177
User Agent    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36
Command Line    /Applications/Google Chrome.app/Contents/MacOS/Google Chrome --flag-switches-begin --flag-switches-end
Executable Path    /Applications/Google Chrome.app/Contents/MacOS/Google Chrome
Profile Path    /Users/Calvin/Library/Application Support/Google/Chrome/Default
Variations    e950616e-37fb3cc2
8afebf76-7a8755af
c70841c8-4866ef6e
195ce1b5-d93a0620
9e5c75f1-3520bf17
24dca50e-837c4893
ca65a9fe-91ac3782
8d790604-9cb2a91c
4ea303a6-3d47f4f4
b2612322-f8cf70e2
5a3c10b5-e1cc0f14
244ca1ac-4ad60575
f47ae82a-746c2ad4
3ac60855-486e2a9c
246fb659-a90023b1
f296190c-a0af34c0
4442aae2-6bdfffe7
ed1d377-e1cc0f14
75f0f0a0-e1cc0f14
e2b18481-92bb99a9
e7e71889-e1cc0f14
cbf0c14e-bf3e6cfd

ProductName:    Mac OS X
ProductVersion:    10.9.4
BuildVersion:    13E28

What is the expected result?
Accept the certificate and establish the connection.

What happens instead?
Certificate rejected and connection terminated.

Browser rejects the following valid certificate chain. The target fqdn of certificate is www.tls.test.

Root CA:
-----BEGIN CERTIFICATE-----
MIIDBjCCAm+gAwIBAgIJANIN8ICdIczKMA0GCSqGSIb3DQEBBQUAMIGaMQswCQYD
VQQGEwJOQTELMAkGA1UECAwCTkExCzAJBgNVBAcMAk5BMRYwFAYDVQQKDA1UTFMg
VGVzdCBUb29sMSAwHgYDVQQLDBdUTFMgQ291bnRlcmV4YW1wbGUgVGVzdDEVMBMG
A1UEAwwMdGxzdGVzdC50ZXN0MSAwHgYJKoZIhvcNAQkBFhF0b29sQHRsc3Rlc3Qu
dGVzdDAgFw0xNDA0MjAxMzQ0MjhaGA8zMDEzMDgyMTEzNDQyOFowgZoxCzAJBgNV
BAYTAk5BMQswCQYDVQQIDAJOQTELMAkGA1UEBwwCTkExFjAUBgNVBAoMDVRMUyBU
ZXN0IFRvb2wxIDAeBgNVBAsMF1RMUyBDb3VudGVyZXhhbXBsZSBUZXN0MRUwEwYD
VQQDDAx0bHN0ZXN0LnRlc3QxIDAeBgkqhkiG9w0BCQEWEXRvb2xAdGxzdGVzdC50
ZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEGp7JOzn7MG/brtBfBjO2
fdSNUGaVxvzXkGVMVrbmqksqbKoXEp5q6P6RFOChI74xmhCx6ESNcJsvq7f1lG5q
FxSx5SOYrwsZFxyGJUMJDuj9FOpZdbr0fPxcXWBxQWj3wr7gYC2TCFqgJyZUVIfE
AWYLb3U397SZIxyiGZFb5wIDAQABo1AwTjAdBgNVHQ4EFgQUsM0wgjhVtHVZKyGO
3+U1w78dLfowHwYDVR0jBBgwFoAUsM0wgjhVtHVZKyGO3+U1w78dLfowDAYDVR0T
BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQC0cqukwiZkp6S/icFh5cPt6yuTJ+YI
V3R+y0Ap5ca3+C+N8LFX5zGzO2FgfibTbfFIHIAvP3UNT7ySILiex61Z7hClez7L
RyWelZIu3qgALpo2q6ZItaQR6dWyTwC6XLSqWI5nQSvIbGWWfWg9zIKjRm0j+cDY
lxlRd6+nvVkshA==
-----END CERTIFICATE-----

A valid certificate chain that contains a NameConstraint extension. All (descendant) certificates in the chain are conformed to the permitted DNS-ID constraint set by int.lev1.ca.authority. However, Chrome rejected such chain and terminated the connection. Name constraint should be verified according to RFC5280 4.2.1.10.

-----BEGIN PRIVATE KEY-----
MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAOWhSsjVXBImaOmi
yIlanlAieQBcyuWMlZQa9QGRQ2uIxDfsGTdHmrRtYgwLIWdjeMmdBpbC5YjKPxlL
QNhlep7mTulQSfAkeeDMZFwVIcFQzZUtMRp+zLiJSGNQYBD1npEgyjecaSEJ6gnf
QgI80FdcYJtWXJDPGVkWVGeItulPAgMBAAECgYEAk+OtJmtDQO075DzSqqOSEkoh
Y/pfMje4ngo+gSPtJ/SNavbDxrZ3DHzmCJuih9OolzBqbe5XpiGbQc8VlEjHDxcl
B7kwx1vmNX9efYDGRE5hXAwjPg1eQ2NdQ35FKG5acoiZ9wL0AzGKJf2m2ceOJPIL
pEbE6/582OrmyCEjXgECQQD3oZq3LX+27wpkbgupAsB5tEx/mXJh7FRSn++G5iBX
TLN/1JTJWz3NFCVFF3ChVc4a23PgNlHthPVIUFb8kFYZAkEA7WPzAAW6TEVxcoQE
Jp2ETjvEnhHejOMBzUPfueWeA2veMUi1FlXbPxVpHa3Su6YhOXZEqCr75pKASdhH
nraXpwJBANq09kp2euf8s3cD4nSBI7HZ1f6UbfuimM7oxsqkEUhJS/fIrygv16N6
+XfOPgGgIQqDbBJIp49Z8LDPlCQ47nECQD94A5Yz8dVGk8hcR4fTgXYxQKZKfMgK
QYcR6JUZMSAVDPj8SX5JQi8hmFMZEEifaC6m0kBsDaFd9fLIYo2qn+0CQQDvk0Vu
6zmjL5AW4UudYgjRAwYYFT+EQ3lQf3BEYrw1sRHyuaolDQ+FKruC2f+lt1MZ0K7Q
sBZv/yWQ8lVcgNVv
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDGTCCAoKgAwIBAgICA/MwDQYJKoZIhvcNAQEFBQAwgccxCzAJBgNVBAYTAlVT
MQswCQYDVQQIEwJDQTEYMBYGA1UEBxMPU2FuIEx1aXMgT2Jpc3BvMSwwKgYDVQQK
EyNDZXJ0aWZpY2F0ZSBTZWN1cml0eSBhbmQgQ29tcGxpYW5jZTEiMCAGA1UECxMZ
WDUwOSBWZXJpZmljYXRpb24gQ2hlY2tlcjEeMBwGA1UEAxMVaW50LmxldjMuY2Eu
YXV0aG9yaXR5MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwub3JnMB4XDTE0
MDgyMTE4MjMxMVoXDTE1MDgyMzE4MjMxMVowgb4xCzAJBgNVBAYTAlVTMQswCQYD
VQQIEwJDQTEYMBYGA1UEBxMPU2FuIEx1aXMgT2Jpc3BvMSwwKgYDVQQKEyNDZXJ0
aWZpY2F0ZSBTZWN1cml0eSBhbmQgQ29tcGxpYW5jZTEiMCAGA1UECxMZWDUwOSBW
ZXJpZmljYXRpb24gQ2hlY2tlcjEVMBMGA1UEAxMMd3d3LnRscy50ZXN0MR8wHQYJ
KoZIhvcNAQkBFhBzb21lb25lQG1haWwub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDloUrI1VwSJmjposiJWp5QInkAXMrljJWUGvUBkUNriMQ37Bk3R5q0
bWIMCyFnY3jJnQaWwuWIyj8ZS0DYZXqe5k7pUEnwJHngzGRcFSHBUM2VLTEafsy4
iUhjUGAQ9Z6RIMo3nGkhCeoJ30ICPNBXXGCbVlyQzxlZFlRniLbpTwIDAQABoxsw
GTAXBgNVHREEEDAOggx3d3cudGxzLnRlc3QwDQYJKoZIhvcNAQEFBQADgYEAWAlk
XnRkZOgIEeozHojZDrWO7ZH5qKJvPoyZOg3Gxiq1EnYUhcCz0108Kjc2bJHGXmV8
6fFUKB4MQoSSpNBSXhNEk5S7DsV6pY0xcWyv0+hZrVNTaFWfN4AY9VMXW0Lm4MIm
gXEBn82cZ4aHNh3ssCB3tonSFukdzkG9pRPtYDo=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDTDCCArWgAwIBAgICA/IwDQYJKoZIhvcNAQEFBQAwgccxCzAJBgNVBAYTAlVT
MQswCQYDVQQIEwJDQTEYMBYGA1UEBxMPU2FuIEx1aXMgT2Jpc3BvMSwwKgYDVQQK
EyNDZXJ0aWZpY2F0ZSBTZWN1cml0eSBhbmQgQ29tcGxpYW5jZTEiMCAGA1UECxMZ
WDUwOSBWZXJpZmljYXRpb24gQ2hlY2tlcjEeMBwGA1UEAxMVaW50LmxldjIuY2Eu
YXV0aG9yaXR5MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwub3JnMB4XDTE0
MDgyMTE4MjMxMVoXDTE1MDgyMzE4MjMxMVowgccxCzAJBgNVBAYTAlVTMQswCQYD
VQQIEwJDQTEYMBYGA1UEBxMPU2FuIEx1aXMgT2Jpc3BvMSwwKgYDVQQKEyNDZXJ0
aWZpY2F0ZSBTZWN1cml0eSBhbmQgQ29tcGxpYW5jZTEiMCAGA1UECxMZWDUwOSBW
ZXJpZmljYXRpb24gQ2hlY2tlcjEeMBwGA1UEAxMVaW50LmxldjMuY2EuYXV0aG9y
aXR5MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwub3JnMIGfMA0GCSqGSIb3
DQEBAQUAA4GNADCBiQKBgQCY0FNZUl13kX397UEfwPfJT+xpj6nYVZFz5ZyNvs1g
FGMUCuA2IeojSBcTD5CeKGQ8ZiJ/adbzNanrd4FkfpVycB+xq8j5mIP0sxYu43/R
kne66q7f8AvZ+kYoIHalPjMYvcv0jlGGkN4AtnZzyUd/LjnyXsOb8NIyhdcn+Nyg
iwIDAQABo0UwQzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAgBgNV
HREEGTAXghVpbnQubGV2My5jYS5hdXRob3JpdHkwDQYJKoZIhvcNAQEFBQADgYEA
eOyA0g6SWVffVIF4WF6V6hDqVAAa03zVz5TCZRmNt1tOQO0W6TEHzciPprd15H+Z
iPTcEH+BNHAN4soR9sPdg/oTqy5eP/5G/9iweIc64nlnFD2MBucTDlLoT+EhALuF
3mzKZ7bRqt7/eUEWMuenAPt+WCm66OVvFFI9mLiPP1A=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDTDCCArWgAwIBAgICA/EwDQYJKoZIhvcNAQEFBQAwgccxCzAJBgNVBAYTAlVT
MQswCQYDVQQIEwJDQTEYMBYGA1UEBxMPU2FuIEx1aXMgT2Jpc3BvMSwwKgYDVQQK
EyNDZXJ0aWZpY2F0ZSBTZWN1cml0eSBhbmQgQ29tcGxpYW5jZTEiMCAGA1UECxMZ
WDUwOSBWZXJpZmljYXRpb24gQ2hlY2tlcjEeMBwGA1UEAxMVaW50LmxldjEuY2Eu
YXV0aG9yaXR5MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwub3JnMB4XDTE0
MDgyMTE4MjMxMVoXDTE1MDgyMzE4MjMxMVowgccxCzAJBgNVBAYTAlVTMQswCQYD
VQQIEwJDQTEYMBYGA1UEBxMPU2FuIEx1aXMgT2Jpc3BvMSwwKgYDVQQKEyNDZXJ0
aWZpY2F0ZSBTZWN1cml0eSBhbmQgQ29tcGxpYW5jZTEiMCAGA1UECxMZWDUwOSBW
ZXJpZmljYXRpb24gQ2hlY2tlcjEeMBwGA1UEAxMVaW50LmxldjIuY2EuYXV0aG9y
aXR5MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwub3JnMIGfMA0GCSqGSIb3
DQEBAQUAA4GNADCBiQKBgQCe3hhZsOLgr+6HCX010xA+Q5VqGInz5LAeDtzHORNd
XH6UTITuSJNWNuJ7sTcltgf0f4huhYctag8BhstR7furak5h8aW/t9hfOitXKx4j
zoYY/FGG1pKT7q4cFLBQNBmSG2a2ZHiYkep2Ua7sECwrJ1G1fOV8ZFA4VSna9AxS
nwIDAQABo0UwQzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAgBgNV
HREEGTAXghVpbnQubGV2Mi5jYS5hdXRob3JpdHkwDQYJKoZIhvcNAQEFBQADgYEA
3GHiF/mglOg0xiovclVQ58jaN5xLt6+LhgIQsh+vUSFb33nsvKxokDhySXFcpB9F
RRAXCC/sVJW0pBZE7bHlPuZ0UP9iATrkd03BqL5VY6tWvnqaON6JA3ejgT95ZmJT
P0kX+riaSut1aOm2how/s/3LzLeT/HJ2swmSHsJkAuE=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDSTCCArKgAwIBAgICA/AwDQYJKoZIhvcNAQEFBQAwgZoxCzAJBgNVBAYTAk5B
MQswCQYDVQQIDAJOQTELMAkGA1UEBwwCTkExFjAUBgNVBAoMDVRMUyBUZXN0IFRv
b2wxIDAeBgNVBAsMF1RMUyBDb3VudGVyZXhhbXBsZSBUZXN0MRUwEwYDVQQDDAx0
bHN0ZXN0LnRlc3QxIDAeBgkqhkiG9w0BCQEWEXRvb2xAdGxzdGVzdC50ZXN0MB4X
DTE0MDgyMTE4MjMxMVoXDTE1MDgyMzE4MjMxMVowgccxCzAJBgNVBAYTAlVTMQsw
CQYDVQQIEwJDQTEYMBYGA1UEBxMPU2FuIEx1aXMgT2Jpc3BvMSwwKgYDVQQKEyND
ZXJ0aWZpY2F0ZSBTZWN1cml0eSBhbmQgQ29tcGxpYW5jZTEiMCAGA1UECxMZWDUw
OSBWZXJpZmljYXRpb24gQ2hlY2tlcjEeMBwGA1UEAxMVaW50LmxldjEuY2EuYXV0
aG9yaXR5MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwub3JnMIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQDoQEEfwK/tv8Ks6pxI9pr34LITN5fvyRK58c+j
un6ga16ZibcE5hA80ofAOWXzyoBWFTN0fL5mAh3VcY1OilM9l5Hbks+0xioMxQ/U
J3dLf4kyiRKop+/Kek7Y+vcRh6ECQTmVWHQVwVJrhVM8KY5qv0JXLjvTDdlnkTxO
jRsv9wIDAQABo28wbTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAg
BgNVHREEGTAXghVpbnQubGV2MS5jYS5hdXRob3JpdHkwKAYDVR0eAQH/BB4wHKAa
MA+CDS5jYS5hdXRob3JpdHkwB4IFLnRlc3QwDQYJKoZIhvcNAQEFBQADgYEAaq0Q
P+Sldk75Fhs1wqB4/DIrmhlYpPU4o473kaB3stTDw3bpwGXTDct2ErUTZo41GBtO
bzsKAMg26JAJGNUvPwK7vMetl/89Lbpgk5OcYvw+4qBx5tI+bV/AC3wveYpzhwDb
qwP+Fuz/F6JjhsbCztw+SHHeNpBSG+WIytmci+4=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDBjCCAm+gAwIBAgIJANIN8ICdIczKMA0GCSqGSIb3DQEBBQUAMIGaMQswCQYD
VQQGEwJOQTELMAkGA1UECAwCTkExCzAJBgNVBAcMAk5BMRYwFAYDVQQKDA1UTFMg
VGVzdCBUb29sMSAwHgYDVQQLDBdUTFMgQ291bnRlcmV4YW1wbGUgVGVzdDEVMBMG
A1UEAwwMdGxzdGVzdC50ZXN0MSAwHgYJKoZIhvcNAQkBFhF0b29sQHRsc3Rlc3Qu
dGVzdDAgFw0xNDA0MjAxMzQ0MjhaGA8zMDEzMDgyMTEzNDQyOFowgZoxCzAJBgNV
BAYTAk5BMQswCQYDVQQIDAJOQTELMAkGA1UEBwwCTkExFjAUBgNVBAoMDVRMUyBU
ZXN0IFRvb2wxIDAeBgNVBAsMF1RMUyBDb3VudGVyZXhhbXBsZSBUZXN0MRUwEwYD
VQQDDAx0bHN0ZXN0LnRlc3QxIDAeBgkqhkiG9w0BCQEWEXRvb2xAdGxzdGVzdC50
ZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEGp7JOzn7MG/brtBfBjO2
fdSNUGaVxvzXkGVMVrbmqksqbKoXEp5q6P6RFOChI74xmhCx6ESNcJsvq7f1lG5q
FxSx5SOYrwsZFxyGJUMJDuj9FOpZdbr0fPxcXWBxQWj3wr7gYC2TCFqgJyZUVIfE
AWYLb3U397SZIxyiGZFb5wIDAQABo1AwTjAdBgNVHQ4EFgQUsM0wgjhVtHVZKyGO
3+U1w78dLfowHwYDVR0jBBgwFoAUsM0wgjhVtHVZKyGO3+U1w78dLfowDAYDVR0T
BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQC0cqukwiZkp6S/icFh5cPt6yuTJ+YI
V3R+y0Ap5ca3+C+N8LFX5zGzO2FgfibTbfFIHIAvP3UNT7ySILiex61Z7hClez7L
RyWelZIu3qgALpo2q6ZItaQR6dWyTwC6XLSqWI5nQSvIbGWWfWg9zIKjRm0j+cDY
lxlRd6+nvVkshA==
-----END CERTIFICATE-----

There is also a compliance issue regarding to the KeyUsage check in server certificate. A separate report has been filed. ( Issue 406500 )
 
Labels: Cr-Internals-Network-SSL
Status: WontFix
Chrome defers to the OS cryptographic stack for verification.

It's a well-known, long-standing issue that Apple does not implement name constraints. This applies to all applications that use OS X's SSL or certificate verification libraries (e.g. Safari, Curl, Python, etc)
Labels: OS-Mac

Sign in to add a comment