New issue
Advanced search Search tips

Issue 798186 link

Starred by 6 users
Status: Available
Owner: ----
Cc:
est...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: 3
Type: Bug



Sign in to add a comment

Ensure is_issued_by_known_root is consistent across platforms

Project Member Reported by rsleevi@chromium.org, Dec 31 2017 
Presently, is_issued_by_known_root is dynamically computed (on all platforms but Windows), set to true if the terminal certificate in the chain is part of the OS trust store.

This has several deficiencies:
- It is non-deterministic across platforms and users, based on the state of the machine, but is used to enforce security policy, such as error reporting logic or pinning.
- Even if a certificate is issued by a 'known' (publicly trusted) CA, this check can be confounded for users that have installed older roots (e.g. legacy paths) no longer trusted by the OS (as some software does), or by cross-signing existing roots with an enterprise trust anchor.

Given that all current usages of "is_issued_by_known_root" are realistically questions about "is_publicly_trusted_ca", it seems appropriate to align the behaviour across platforms to return consistent answers.

This involves:
- Considering all certificates in the evaluation chain - if at least one issuing CA is publicly trusted, then we know that the leaf is in scope of public trust
- Considering the trust store status of all platforms, which we have available via net:: GetNetTrustAnchorHistogramIdForSPKI()

Potential downsides:
- CAs that are trusted by a single platform (e.g. Windows), and that are manually installed by users on other platforms, will now be subject to public trust requirements on all platforms, and not just Windows.

This should be acceptable, however - as long as a CA is trusted on at least one Chrome platform, we should consistently (on all Chrome platforms) hold that CA to the same security bar that is appropriate for users.

Comment 1 Deleted

Comment 2 Deleted

Comment 3 Deleted

Project Member

Comment 4 by bugdroid1@chromium.org, Jan 23 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/36f20e46515ab61df4ae4af9655b647bf9a0ea5a

commit 36f20e46515ab61df4ae4af9655b647bf9a0ea5a
Author: Ryan Sleevi <rsleevi@chromium.org>
Date: Tue Jan 23 22:45:43 2018

Unify the handling of is_issued_by_known_root across platforms

Previously, is_issued_by_known_root took a per-platform approach,
attempting to determine whether or not (for given the platform),
a certificate was issued by a known root. Programmatic policies
such as HPKP or enforcement of the Baseline Requirements was then
gated on this functionality, and reporting errors or additional
details was similarly limited to that set of known roots.

However, this results in inconsistency across platforms - a given
certificate may be a known root on Windows, while returning false
on other platforms, giving an inconsistent security experience and
inconsistent user experience, even though the set of expectations
for that root cert/CA remain the same.

In order to align behaviour, all platforms now consider the set of
unified trust anchors for all platforms, in addition to the runtime
determination (when available) to determine the status. This will
reduce the false-negative case across platforms.

To avoid situations in which the static/compiled in list drifts
from the OS (e.g. due to emergency updates or pre-release versions),
the OS will still be consulted, but it will be as a fallback to
the internal list.

BUG=798186
TBR=isherman@chromium.org

Change-Id: I46e7abf044682b3583bd3ea50369891f5c56c0a6
Reviewed-on: https://chromium-review.googlesource.com/854014
Commit-Queue: Ryan Sleevi <rsleevi@chromium.org>
Reviewed-by: David Benjamin <davidben@chromium.org>
Cr-Commit-Position: refs/heads/master@{#531377}
[modify] https://crrev.com/36f20e46515ab61df4ae4af9655b647bf9a0ea5a/net/BUILD.gn
[modify] https://crrev.com/36f20e46515ab61df4ae4af9655b647bf9a0ea5a/net/cert/cert_verify_proc_android.cc
[modify] https://crrev.com/36f20e46515ab61df4ae4af9655b647bf9a0ea5a/net/cert/cert_verify_proc_builtin.cc
[modify] https://crrev.com/36f20e46515ab61df4ae4af9655b647bf9a0ea5a/net/cert/cert_verify_proc_ios.cc
[modify] https://crrev.com/36f20e46515ab61df4ae4af9655b647bf9a0ea5a/net/cert/cert_verify_proc_mac.cc
[modify] https://crrev.com/36f20e46515ab61df4ae4af9655b647bf9a0ea5a/net/cert/cert_verify_proc_nss.cc
[modify] https://crrev.com/36f20e46515ab61df4ae4af9655b647bf9a0ea5a/net/cert/cert_verify_proc_win.cc
[modify] https://crrev.com/36f20e46515ab61df4ae4af9655b647bf9a0ea5a/net/cert/known_roots_mac.cc
[modify] https://crrev.com/36f20e46515ab61df4ae4af9655b647bf9a0ea5a/net/cert/known_roots_win.cc
[delete] https://crrev.com/8417190d5bd9fc759b81f1a187e56c0d3d7ba307/net/cert/x509_certificate_known_roots_win.h
[modify] https://crrev.com/36f20e46515ab61df4ae4af9655b647bf9a0ea5a/tools/metrics/histograms/enums.xml
[modify] https://crrev.com/36f20e46515ab61df4ae4af9655b647bf9a0ea5a/tools/metrics/histograms/histograms.xml

Comment 5 by benhenry@google.com, Jan 11

Status: Available (was: Started)
This issue has been marked as started, but has no owner. Making available.

Comment 6 by marcuskoehler@chromium.org, Jan 15

Labels: Enterprise-Triaged

Sign in to add a comment