Deprecate support for PEM in AIA |
|
Issue descriptionThe profile in RFC 5280 states that AIA responses must be either a single certificate DER or BER/DER encoded "certs-only" (4.2.2.1.). In practice, some CAs respond with PEM-encoded single certificates. This is widely supported by platform verifiers (NSS, Windows, Mac all permit PEM in AIA responses).
,
Aug 2
Some sample chains showing the problem: 447B00529E93B663801C72A35B5DADC444FF22CF9E53DC5BDD5ADE71D9D46CAA www.predialonline.pt DAAB2E4504FD54EF7F99BB49E14C3D63A6DDFF8AF5604D5BA1D01F312B5204E4 ECCE 001 36B8B44851CCA333959D6C8006CFDDABF5B855E4A9B6CE51A7A8B4934886BAC3 ECRaizEstado 16AF57A9F676B0AB126095AA5EBADEF22AB31119D644AC95CD4B93DBF3F26AEB Baltimore CyberTrust Root 1D18C496E394BDC180E9CED8D418B99932445F414C7EE5E2A5B9576C9992497E www.valid-ov.pki.admin.ch 64FA047D6F73500B63456F188269618A09A38FAFCB763FA45B44B647D8DE6C45 Swiss Government Public Trust Standard CA 02 958ABBAEFF760F4FBF66FF0F2C2708F4739B2C686127239A2C4EC87A68A984C8 Swiss Government Root CA III 5DF100FC51292198D9584D5FB4CF93E2F305A940D10224E3755044C4A1CFACC8 m.ntu.edu.tw 9B16F2F680D7C4BD6A67F609340DA6416ABF9E43F1326B01B988192271D0B5F2 TWCA Secure SSL Certification Authority 8AD47F6D70A44FA80AF0F931125FFE3A76876FFAD219A4D40A13C038DC85E69E TWCA Global Root CA 607CB45C927105A19218FC664EE1BB96F06F263E69CE2EE1B79197FE956E1388 sautapweb.cnbv.gob.mx CF88915CF996932C2B4CBE3039076D119BB728B4F31E49B63A5022FE65489A12 AffirmTrust Extended Validation CA - EV1 6904200BD666A55A1E4FDCEDA0430718C7F8523A6EA24D5C838DAE1CFB08708C inspecteur.ilent.nl 7E082BBC56976B159D4696540A96B60148614BA9B5E29B2035F789BECFBF0657 KPN BV PKIoverheid Organisatie Server CA - G3 D9581DBDE99B39EEFF6CE5C80DE1650DA0C1C8A109705ED286C53BC95E6655E4 Staat der Nederlanden Organisatie Services CA - G3 3C4FB0B95AB8B30032F432B86F535FE172C185D0FD39865837CF36187FA6F428 Staat der Nederlanden Root CA - G3 EF9F068A6916BDAFB05A4F77DF1F43804D2DBAF687F3540CBE8C5293CF34E1EA usportal.abb.com 9E230BB73827B3F7B3F75BF231661DFD40786A1B9AC256F1AA1D752B506A2CCB ABB Issuing CA 8 2534EC1BD74C3C1B7661A0E7CC28F1BDF2A82CCD3943EEAADCD8FED95055EAD1 ABB Intermediate CA 5 5D8545DF25B7DDB7EA6E9EAEC083920FD47F2EB4CB504379AB5994011D518D7E *.legalcare.it 247A6D807FF164031E0EB22CA85DE329A3A4E6603DBC6203F0C6E282A9C9EA84 InfoCert Organization Validation CA 3 201C0617CC3310C7F29FCBE46B57459BC6786A8BA2753018EB27C1E800168A2E GLOBAL CORPORATE SERVER
,
Aug 3
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/8e640405dfb47ea7579db7746863b8b731342269 commit 8e640405dfb47ea7579db7746863b8b731342269 Author: Eric Roman <eroman@chromium.org> Date: Fri Aug 03 00:04:09 2018 Allow AIA responses to be served as PEM for builtin verifier. This matches the behavior for other platforms, and helps reduce differences in testing. Bug: 870359 Change-Id: I6c0bd06497d1577a034ee3f52bdf7d144061d28d Reviewed-on: https://chromium-review.googlesource.com/1159603 Commit-Queue: Eric Roman <eroman@chromium.org> Reviewed-by: Matt Mueller <mattm@chromium.org> Cr-Commit-Position: refs/heads/master@{#580382} [modify] https://crrev.com/8e640405dfb47ea7579db7746863b8b731342269/net/cert/cert_verify_proc_unittest.cc [modify] https://crrev.com/8e640405dfb47ea7579db7746863b8b731342269/net/cert/internal/cert_issuer_source_aia.cc |
|
►
Sign in to add a comment |
|
Comment 1 by eroman@chromium.org
, Aug 2