New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 607954 link

Starred by 3 users
Status: Verified
Owner:
dadrian@google.com
Email to this user bounced
Closed: May 2016
Cc:
rsleevi@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

X509Certificate::IsSelfSigned is inconsistent across platforms.

Project Member Reported by davidben@chromium.org, Apr 29 2016 
Assigning to palmer@ and adding Enamel labels since this function is (currently) only used in the SSL error classifier.

https://codereview.chromium.org/634033002 added X509Certificate::IsSelfSigned, but it behaves differently across platforms.

It is possible to construct a certificate that is signed by the subject's key but where the subject and issuer do not match. (This would mean the subject and issuer share a key.)

The Windows implementation I think only checks the signature, but I'm not sure. (Ryan?)
https://code.google.com/p/chromium/codesearch#chromium/src/net/cert/x509_certificate_win.cc&q=X509Certificate::IsSelfSigned&sq=package:chromium&l=466&ct=rc&cd=1&dr=CSs

The iOS and Android implementations only check the signature.
https://code.google.com/p/chromium/codesearch#chromium/src/net/cert/x509_certificate_ios.cc&q=X509Certificate::IsSelfSigned&sq=package:chromium&l=462&ct=rc&cd=2&dr=CSs
https://code.google.com/p/chromium/codesearch#chromium/src/net/cert/x509_certificate_openssl.cc&q=X509Certificate::IsSelfSigned&sq=package:chromium&l=455&ct=rc&cd=5&dr=CSs

The Linux and CrOS implementations only check the signature.
https://code.google.com/p/chromium/codesearch#chromium/src/net/cert/x509_certificate_nss.cc&q=X509Certificate::IsSelfSigned&sq=package:chromium&l=284&ct=rc&cd=4&dr=CSs

The Mac implementation checks BOTH the signature and the names.
https://code.google.com/p/chromium/codesearch#chromium/src/net/cert/x509_certificate_mac.cc&q=X509Certificate::IsSelfSigned&sq=package:chromium&l=545&ct=rc&cd=3&dr=CSs

We should pick one behavior across platforms and test it. It would also be good to have a test for a self-issued but not self-signed certificate (names match but signatures don't). If we're going with the RFC 5280 definition of self-signed, I think the Mac implementation is correct and the others are missing name checks.

"Self-issued certificates are CA certificates in which the issuer and subject are the same entity.  Self-issued certificates are generated to support changes in policy or operations.  Self-signed certificates are self-issued certificates where the digital signature may be verified by the public key bound into the certificate."

Is that fine for Enamel's uses?

Comment 1 by dadrian@google.com, May 16 2016

Owner: dadrian@google.com
I'm grabbing this bug since palmer@ is not actively working on it. It looks like the consensus is to check signature AND name on all platforms?

Comment 2 by rsleevi@chromium.org, May 16 2016 

Signature & Name SGTM, although note that all of our platforms' underlying libraries consider name match on the normalized form, not the exact bytes.
Project Member

Comment 3 by bugdroid1@chromium.org, May 27 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/da42899529b15a0fa89a072c6e46c22c11292514

commit da42899529b15a0fa89a072c6e46c22c11292514
Author: dadrian <dadrian@google.com>
Date: Fri May 27 20:11:19 2016

Check self-signed certificate names and signatures

Add unit tests for self-signed certificates with invalid name/sigs

BUG= 607954 

Review-Url: https://codereview.chromium.org/1988993002
Cr-Commit-Position: refs/heads/master@{#396548}

[modify] https://crrev.com/da42899529b15a0fa89a072c6e46c22c11292514/net/cert/x509_certificate_ios.cc
[modify] https://crrev.com/da42899529b15a0fa89a072c6e46c22c11292514/net/cert/x509_certificate_nss.cc
[modify] https://crrev.com/da42899529b15a0fa89a072c6e46c22c11292514/net/cert/x509_certificate_openssl.cc
[modify] https://crrev.com/da42899529b15a0fa89a072c6e46c22c11292514/net/cert/x509_certificate_unittest.cc
[modify] https://crrev.com/da42899529b15a0fa89a072c6e46c22c11292514/net/cert/x509_certificate_win.cc
[modify] https://crrev.com/da42899529b15a0fa89a072c6e46c22c11292514/net/data/ssl/certificates/README
[add] https://crrev.com/da42899529b15a0fa89a072c6e46c22c11292514/net/data/ssl/certificates/self-signed-invalid-name.pem
[add] https://crrev.com/da42899529b15a0fa89a072c6e46c22c11292514/net/data/ssl/certificates/self-signed-invalid-sig.pem
[modify] https://crrev.com/da42899529b15a0fa89a072c6e46c22c11292514/net/data/ssl/scripts/ee.cnf
[add] https://crrev.com/da42899529b15a0fa89a072c6e46c22c11292514/net/data/ssl/scripts/generate-bad-self-signed.sh
[modify] https://crrev.com/da42899529b15a0fa89a072c6e46c22c11292514/net/net.gypi

Comment 4 by rsleevi@chromium.org, May 28 2016

Labels: M-53
Status: Verified (was: Assigned)

Comment 5 by lafo...@chromium.org, Dec 9 2016

Components: -Security>UX
Labels: Team-Security-UX
Security>UX component is deprecated in favor of the Team-Security-UX label

Sign in to add a comment