New issue
Advanced search Search tips

Issue 634476 link

Starred by 4 users
Status: Fixed
Owner:
eroman@chromium.org
Closed: Jul 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug

Blocking:
issue 410574



Sign in to add a comment

[PKI library] Verify leaf certificate key size

Project Member Reported by eroman@chromium.org, Aug 4 2016 
tl;dr: The current verification API does not check to see if the leaf certificate's SPKI is something reasonable, and will happily verify an end-entity certificate with a weak key size.

More detail:

The current API uses a "SignaturePolicy" delegate during path building to ensure that chains in the path do not contain weak signatures. This abstraction combines some validations on the SPKI (such as minimum modulus size for RSA keys), as well as policy on signature algorithms (particularly digest used).

The weakness with this abstraction is it does not apply to the leaf certificate, since chain building is not actually verifying signatures signed by this certificate (the caller presumably will though).

We may return a chain that has strong signatures for each certificate, HOWEVER the leaf certificate has a 512 bit RSA key (since there was no signature verified yet using this key, the SignaturePolicy was not called).

This is dangerous, and should instead be done internally to prevent misuse.

Comment 1 by eroman@chromium.org, Sep 21 2016

Status: Available (was: Untriaged)
For reference, in the current cert verifier stack this is also being done by  ExaminePublicKeys() in cert_verify_proc.cc.

Comment 2 by eroman@chromium.org, Jul 25 2017

Owner: eroman@chromium.org
Status: Started (was: Available)
Project Member

Comment 3 by bugdroid1@chromium.org, Jul 26 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5431d706fcb9b68710ef24e075d67bd19c0bc406

commit 5431d706fcb9b68710ef24e075d67bd19c0bc406
Author: Eric Roman <eroman@chromium.org>
Date: Wed Jul 26 01:58:18 2017

Add delegate interfaces for CertPathBuilder and VerifyCertificateChain.

The delegates subsume the functionality of SignaturePolicy, as well as adding a hook to check candidate paths built by CertPathBuilder.

Bug:  634476 
Change-Id: I7ed337001e93b5de187a1780562558acf54dc73a
Reviewed-on: https://chromium-review.googlesource.com/582127
Commit-Queue: Eric Roman <eroman@chromium.org>
Reviewed-by: Luke Halliwell <halliwell@chromium.org>
Reviewed-by: Matt Mueller <mattm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#489526}
[modify] https://crrev.com/5431d706fcb9b68710ef24e075d67bd19c0bc406/components/cast_certificate/cast_cert_validator.cc
[modify] https://crrev.com/5431d706fcb9b68710ef24e075d67bd19c0bc406/components/cast_certificate/cast_cert_validator_unittest.cc
[modify] https://crrev.com/5431d706fcb9b68710ef24e075d67bd19c0bc406/components/cast_certificate/cast_crl.cc
[add] https://crrev.com/5431d706fcb9b68710ef24e075d67bd19c0bc406/components/test/data/cast_certificate/certificates/create_signatures.py
[add] https://crrev.com/5431d706fcb9b68710ef24e075d67bd19c0bc406/components/test/data/cast_certificate/certificates/generate_rsa_device_certs.py
[add] https://crrev.com/5431d706fcb9b68710ef24e075d67bd19c0bc406/components/test/data/cast_certificate/certificates/rsa1024_device_cert.pem
[add] https://crrev.com/5431d706fcb9b68710ef24e075d67bd19c0bc406/components/test/data/cast_certificate/certificates/rsa2048_device_cert.pem
[add] https://crrev.com/5431d706fcb9b68710ef24e075d67bd19c0bc406/components/test/data/cast_certificate/signeddata/rsa1024_device_cert_data.pem
[add] https://crrev.com/5431d706fcb9b68710ef24e075d67bd19c0bc406/components/test/data/cast_certificate/signeddata/rsa2048_device_cert_data.pem
[modify] https://crrev.com/5431d706fcb9b68710ef24e075d67bd19c0bc406/net/BUILD.gn
[modify] https://crrev.com/5431d706fcb9b68710ef24e075d67bd19c0bc406/net/cert/cert_verify_proc_builtin.cc
[modify] https://crrev.com/5431d706fcb9b68710ef24e075d67bd19c0bc406/net/cert/internal/cert_errors.cc
[modify] https://crrev.com/5431d706fcb9b68710ef24e075d67bd19c0bc406/net/cert/internal/cert_errors.h
[modify] https://crrev.com/5431d706fcb9b68710ef24e075d67bd19c0bc406/net/cert/internal/path_builder.cc
[modify] https://crrev.com/5431d706fcb9b68710ef24e075d67bd19c0bc406/net/cert/internal/path_builder.h
[modify] https://crrev.com/5431d706fcb9b68710ef24e075d67bd19c0bc406/net/cert/internal/path_builder_pkits_unittest.cc
[modify] https://crrev.com/5431d706fcb9b68710ef24e075d67bd19c0bc406/net/cert/internal/path_builder_unittest.cc
[modify] https://crrev.com/5431d706fcb9b68710ef24e075d67bd19c0bc406/net/cert/internal/path_builder_verify_certificate_chain_unittest.cc
[delete] https://crrev.com/42791d1da4c538106b88e1e90aa73517fd9d0192/net/cert/internal/signature_policy.cc
[delete] https://crrev.com/42791d1da4c538106b88e1e90aa73517fd9d0192/net/cert/internal/signature_policy.h
[add] https://crrev.com/5431d706fcb9b68710ef24e075d67bd19c0bc406/net/cert/internal/simple_path_builder_delegate.cc
[add] https://crrev.com/5431d706fcb9b68710ef24e075d67bd19c0bc406/net/cert/internal/simple_path_builder_delegate.h
[add] https://crrev.com/5431d706fcb9b68710ef24e075d67bd19c0bc406/net/cert/internal/simple_path_builder_delegate_unittest.cc
[modify] https://crrev.com/5431d706fcb9b68710ef24e075d67bd19c0bc406/net/cert/internal/verify_certificate_chain.cc
[modify] https://crrev.com/5431d706fcb9b68710ef24e075d67bd19c0bc406/net/cert/internal/verify_certificate_chain.h
[modify] https://crrev.com/5431d706fcb9b68710ef24e075d67bd19c0bc406/net/cert/internal/verify_certificate_chain_pkits_unittest.cc
[modify] https://crrev.com/5431d706fcb9b68710ef24e075d67bd19c0bc406/net/cert/internal/verify_certificate_chain_typed_unittest.h
[modify] https://crrev.com/5431d706fcb9b68710ef24e075d67bd19c0bc406/net/cert/internal/verify_certificate_chain_unittest.cc
[modify] https://crrev.com/5431d706fcb9b68710ef24e075d67bd19c0bc406/net/cert/internal/verify_signed_data.cc
[modify] https://crrev.com/5431d706fcb9b68710ef24e075d67bd19c0bc406/net/cert/internal/verify_signed_data.h
[modify] https://crrev.com/5431d706fcb9b68710ef24e075d67bd19c0bc406/net/cert/internal/verify_signed_data_unittest.cc
[modify] https://crrev.com/5431d706fcb9b68710ef24e075d67bd19c0bc406/net/cert/x509_certificate_bytes.cc
[modify] https://crrev.com/5431d706fcb9b68710ef24e075d67bd19c0bc406/net/data/verify_certificate_chain_unittest/incorrect-trust-anchor/main.test
[modify] https://crrev.com/5431d706fcb9b68710ef24e075d67bd19c0bc406/net/data/verify_certificate_chain_unittest/pkits_errors/4.1.2.txt
[modify] https://crrev.com/5431d706fcb9b68710ef24e075d67bd19c0bc406/net/data/verify_certificate_chain_unittest/pkits_errors/4.1.3.txt
[modify] https://crrev.com/5431d706fcb9b68710ef24e075d67bd19c0bc406/net/data/verify_certificate_chain_unittest/pkits_errors/4.1.4.txt
[modify] https://crrev.com/5431d706fcb9b68710ef24e075d67bd19c0bc406/net/data/verify_certificate_chain_unittest/pkits_errors/4.1.5.txt
[modify] https://crrev.com/5431d706fcb9b68710ef24e075d67bd19c0bc406/net/data/verify_certificate_chain_unittest/pkits_errors/4.1.6.txt
[add] https://crrev.com/5431d706fcb9b68710ef24e075d67bd19c0bc406/net/data/verify_certificate_chain_unittest/target-has-512bit-rsa-key/chain.pem
[add] https://crrev.com/5431d706fcb9b68710ef24e075d67bd19c0bc406/net/data/verify_certificate_chain_unittest/target-has-512bit-rsa-key/generate-chains.py
[add] https://crrev.com/5431d706fcb9b68710ef24e075d67bd19c0bc406/net/data/verify_certificate_chain_unittest/target-has-512bit-rsa-key/keys/Intermediate.key
[add] https://crrev.com/5431d706fcb9b68710ef24e075d67bd19c0bc406/net/data/verify_certificate_chain_unittest/target-has-512bit-rsa-key/keys/Root.key
[add] https://crrev.com/5431d706fcb9b68710ef24e075d67bd19c0bc406/net/data/verify_certificate_chain_unittest/target-has-512bit-rsa-key/keys/Target.key
[add] https://crrev.com/5431d706fcb9b68710ef24e075d67bd19c0bc406/net/data/verify_certificate_chain_unittest/target-has-512bit-rsa-key/main.test
[modify] https://crrev.com/5431d706fcb9b68710ef24e075d67bd19c0bc406/net/data/verify_certificate_chain_unittest/target-signed-by-512bit-rsa/main.test
[modify] https://crrev.com/5431d706fcb9b68710ef24e075d67bd19c0bc406/net/data/verify_certificate_chain_unittest/target-wrong-signature/main.test
[modify] https://crrev.com/5431d706fcb9b68710ef24e075d67bd19c0bc406/net/tools/cert_verify_tool/verify_using_path_builder.cc

Comment 4 by eroman@chromium.org, Jul 26 2017

Status: Fixed (was: Started)

Sign in to add a comment