crypto/tls: generate_cert.go sets KeyEncipherment KU for non-RSA keys [freeze exception] #36499
Comments
toothrot
changed the title
toothrot
added
the
NeedsInvestigation
|
👋 Hi folks, Anything I can do to help move this forward? |
FiloSottile
added
the
NeedsFix
gopherbot
removed
the
NeedsInvestigation
|
Subscribing to this issue, as certs generated like this with ECC keys (haven't used ED25519 yet) raises an error in Chrome 83 on Mac (and I have verified this as well): https://caddy.community/t/internal-ssl-certificate-is-not-standards-compliant-on-macos/8933 |
FiloSottile
changed the title
|
@rsc @golang/osp-team Can I get a freeze exception on this? |
|
Fixing this during freeze seems okay to me. Chrome 83 was released after the Go 1.15 freeze started, so some of the information here wasn't available earlier. A Approved. |
|
Yeah, Chrome 83 is a misdirect. It's been part of BoringSSL since 2019-01-30 for TLS 1.2 and earlier, and always for TLS 1.3 https://boringssl.googlesource.com/boringssl/+/d7266ecc9bf92ffad277bc39653919da79c8f42b%5E%21 |
|
That change was for RSA keys, not EC keys. But nothing applicable changed in Chrome 83 as far as I know. I don't think this is coming from BoringSSL, however. We require for the presence of various bits, but not the absence. The error would also come out differently. Given both the error and that it's reflected in the macOS certificate viewer UI, this probably isn't coming directly from Chrome at all, but macOS. |
|
@davidben No, that change affected EC keys. If |
|
Right, we check KU for EC keys. But we did that long before that CL. The new thing in that CL was support for checking on RSA in TLS 1.2. But we only check for the presence of the bit we wanted. If there was some irrelevant bit, BoringSSL doesn't care. Sounds like this is about something rejecting an irrelevant bit. |
|
(One way or another, the keyEncipherment bit doesn't make sense for EC keys and ought to be omitted.) |
|
Change https://golang.org/cl/214337 mentions this issue: |
What version of Go are you using (
go version)?Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env)?N/A
What did you do?
What did you expect to see?
What did you see instead?
Summary:
The
crypto/tls/generate_cert.goutility should only set the templatex509.Certificate'sKeyUsagefield to a value with thex509.KeyUsageKeyEnciphermentbits set when the certificate subject public key is an RSA public key, not an ECDSA or ED25519 public key.Presently it sets the
KeyUsagetoKeyUsageKeyEnciphermentandKeyUsageDigitalSignatureno matter what type of public key is used:go/src/crypto/tls/generate_cert.go
Line 110 in 79ccbe1
RFC 5480 describes the usage of ECDSA elliptic curve subject keys with X509. Unfortunately while Section 3 "Key Usages Bits" indicates which key usage bits MAY be used with a certificate that indicates
id-ecPublicKeyin theSubjectPublicKeyInfofield it doesn't provide guidance on which usages should not be included (e.g. thekeyEnciphermentbit, which is particular to RSA key exchange). The same problem is present in RFC 8410 Section 5 describing Key Usage Bits for ED25519 elliptic curve subject keys.There's an update to RFC 5480 in last call stage within the IETF LAMPS WG, draft-ietf-lamps-5480-ku-clarifications-00. This update is meant to clarify the allowed Key Usages extension values for certificates with ECDSA subject public keys by adding:
I don't believe there is an update for RFC 8410 in the works but I suspect it will be clarified similarly in the future (I will follow up with the LAMPS WG).
The current behaviour of
generate_cert.gowon't comply with the updated RFC 5480 requirement.The text was updated successfully, but these errors were encountered: