Chromium accepts root CAs with invalid DER encoding for serial number
Reported by
tira...@gmail.com,
Jan 8
|
|||||||||
Issue descriptionUserAgent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0 Steps to reproduce the problem: 1. Import root CA from http://ca.mup.gov.rs/MUPCARoot.crt What is the expected behavior? Chrome / BoringSSL should fail and refuse to load the certificate. What went wrong? The certificate uses an invalid DER encoding for its serial number. The serial number 100 (0x64) is encoded as "02 04 00 00 00 64" instead of "02 01 64". While the encoding is valid BER, it's not valid DER. Canonical DER encoding does not allow leading zeros unless the MSB of the integer is set. $ dumpasn1 MUPCARoot.crt 0 1435: SEQUENCE { 4 899: SEQUENCE { 8 3: [0] { 10 1: INTEGER 2 : } 13 4: INTEGER 100 : Error: Integer '00 00 ...' has non-DER encoding. Did this work before? No Chrome version: Version 71.0.3578.98 (Developer Build) Fedora Project (64-bit) Channel: n/a OS Version: Fedora 29 Flash Version: See https://mta.openssl.org/pipermail/openssl-dev/2016-February/005099.html and https://bugs.python.org/issue35665 OpenSSL 1.1+ is more strict and only accepts "02 01 64" for serial number 0x64. NSS 3.41 doesn't require strict DER encoding and also accepts the certificate. Both Firefox and Chrome UI display the serial number as "00:00:00:64".
,
Jan 8
I don't think this is a vulnerability because installing a root certificate requires privilege, but will let the BoringSSL people decide.
,
Jan 8
I'm pretty sure that the issue also applies to intermediate and EE certs. It's a bit tricky to create a cert with bad integers and I haven't had time to craft a bad certificate manually.
,
Jan 8
Much as I would love for that parser to be strict, I believe there are enough misissuing Enterprise CAs that we're stuck here. Ryan is more authoritative here though.
,
Jan 8
Correct. This is one area of acknowledged incompatibility that we'd like to tighten over time. Publicly trusted CAs are being supervised and prohibited from this, and we'll be working to tighten that further, but Enterprise CAs remain a compatibility concern and have thus not prioritized deprecation. I don't believe there's any need to restrict this. The concerns expressed in Comment #1 do not apply. I'm actually marking this Feature, because this would be a change to the Web Platform as such invalid serials are, unfortunately, widely accepted on the Web Platform (Chrome, Firefox, Edge, Safari depending on macOS release)
,
Jan 8
> While the encoding is valid BER, it's not valid DER. The BER rules are the same as the DER rules: "If the contents octets of an integer value encoding consist of more than one octet, then the bits of the first octet and bit 8 of the second octet: a) shall not all be ones; and b) shall not all be zero. NOTE – These rules ensure that an integer value is always encoded in the smallest possible number of octets." - https://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf So it isn't valid BER either.
,
Jan 8
> I'm pretty sure that the issue also applies to intermediate and EE certs. It's a bit tricky to create a cert with bad integers and I haven't had time to craft a bad certificate manually. If intermediate or end-entity certificates with this kind of bad encoding are accepted then that's a separate bug. > Such invalid serials are, unfortunately, widely accepted on the Web Platform (Chrome, Firefox, Edge, Safari depending on macOS release) I would be surprised if Firefox accepts such encodings in end-entity and intermediate certificates. See https://hg.mozilla.org/projects/nss/annotate/b81ef75ef4e8/lib/mozpkix/lib/pkixder.cpp#l581, which implements the check from the BER spec. I would even be surprised if Firefox accepted such encoding in root certificates since, IIRC, it uses the same parser to parse root certificates.
,
Jan 9
As per comment# 5, issue seems to be a Feature request, hence marking it as Untriaged. Thanks! |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by tira...@gmail.com
, Jan 8