[PKI library] should not handle directly trusting leaf certs |
|||
Issue descriptionRFC 5280 defines verification in terms of a trust anchor (issuer name + public key), and cert chain. So in the minimum case you must at least have a leaf cert which is signed by a trust anchor (which technically could be the same if it's a self-signed cert), So you always have at least one cert to do the various processing and checks on. Some platforms have added non-standard abilities to trust an end-entity cert directly, without chaining to anything, and with varying amounts of processing / error handling. This is not specified anywhere, and the details and implementation is platform-specific. For background: AFAICT, Windows does not support it at all. On macOS: * Can trust end-entity cert as “always trust”, works in Safari and Chrome+CertVerifyProcMac. * Expired certs are OK * Incorrect eku fails * Inrecognized critical extensions are OK On Linux/NSS: * Can set NSS "trusted peer" bit, but Firefox no longer honors it, instead it allows to set an error override to handle the "how can I browse to my untrusted local test site" case. Current Chrome+CertVerifyProcNSS does honor it. * Expired cert fails * Incorrect eku fails * Unrecognized critical extensions are OK Given the lack of specifications, and the large differences between different platforms, and the questionable security properties it would be better to not support this, even on platforms where previously it was supported by the platform verifier. Instead users can use the override on the error interstitial, or can setup a proper local trusted CA which issues their test cert.
,
Feb 23 2018
Android also doesn't support it. CC'ing enamlites who care about interstitials these days, since effectively importing 'server' certs is yet-another-way to remember interstitial bypass messages.
,
Feb 23 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/adb7998970b0ea55d952aa15d9afa750918fcafa commit adb7998970b0ea55d952aa15d9afa750918fcafa Author: Matt Mueller <mattm@chromium.org> Date: Fri Feb 23 20:30:29 2018 net::PathBuilder: if the leaf cert is trusted, treat as unspecified trust. This allows path building to continue and try to build a valid path (either to a different root, or to the same cert if it happens to be self-signed.) Update comments & todos that trusted leaf certs are intentionally not supported. Bug: 814994 Change-Id: Id8e6a5f3d00c94c96271e4c6e21860206bb71c2a Reviewed-on: https://chromium-review.googlesource.com/933108 Reviewed-by: Doug Steedman <dougsteed@chromium.org> Reviewed-by: Eric Roman <eroman@chromium.org> Commit-Queue: Matt Mueller <mattm@chromium.org> Cr-Commit-Position: refs/heads/master@{#538880} [modify] https://crrev.com/adb7998970b0ea55d952aa15d9afa750918fcafa/components/cast_certificate/cast_cert_validator_unittest.cc [modify] https://crrev.com/adb7998970b0ea55d952aa15d9afa750918fcafa/net/cert/cert_verify_proc_unittest.cc [modify] https://crrev.com/adb7998970b0ea55d952aa15d9afa750918fcafa/net/cert/internal/common_cert_errors.cc [modify] https://crrev.com/adb7998970b0ea55d952aa15d9afa750918fcafa/net/cert/internal/common_cert_errors.h [modify] https://crrev.com/adb7998970b0ea55d952aa15d9afa750918fcafa/net/cert/internal/path_builder.cc [modify] https://crrev.com/adb7998970b0ea55d952aa15d9afa750918fcafa/net/cert/internal/path_builder_unittest.cc [modify] https://crrev.com/adb7998970b0ea55d952aa15d9afa750918fcafa/net/cert/internal/trust_store_nss.cc [modify] https://crrev.com/adb7998970b0ea55d952aa15d9afa750918fcafa/net/cert/internal/trust_store_nss_unittest.cc [modify] https://crrev.com/adb7998970b0ea55d952aa15d9afa750918fcafa/net/cert/internal/verify_certificate_chain.cc
,
Feb 23 2018
|
|||
►
Sign in to add a comment |
|||
Comment 1 by eroman@chromium.org
, Feb 23 2018