New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto/tls: generate_cert.go sets KeyEncipherment KU for non-RSA keys [freeze exception] #36499
Comments
👋 Hi folks, Anything I can do to help move this forward? |
Subscribing to this issue, as certs generated like this with ECC keys (haven't used ED25519 yet) raises an error in Chrome 83 on Mac (and I have verified this as well): https://caddy.community/t/internal-ssl-certificate-is-not-standards-compliant-on-macos/8933 |
@rsc @golang/osp-team Can I get a freeze exception on this? |
Fixing this during freeze seems okay to me. Chrome 83 was released after the Go 1.15 freeze started, so some of the information here wasn't available earlier. A Approved. |
Yeah, Chrome 83 is a misdirect. It's been part of BoringSSL since 2019-01-30 for TLS 1.2 and earlier, and always for TLS 1.3 https://boringssl.googlesource.com/boringssl/+/d7266ecc9bf92ffad277bc39653919da79c8f42b%5E%21 |
That change was for RSA keys, not EC keys. But nothing applicable changed in Chrome 83 as far as I know. I don't think this is coming from BoringSSL, however. We require for the presence of various bits, but not the absence. The error would also come out differently. Given both the error and that it's reflected in the macOS certificate viewer UI, this probably isn't coming directly from Chrome at all, but macOS. |
@davidben No, that change affected EC keys.
If |
Right, we check KU for EC keys. But we did that long before that CL. The new thing in that CL was support for checking on RSA in TLS 1.2. But we only check for the presence of the bit we wanted. If there was some irrelevant bit, BoringSSL doesn't care. Sounds like this is about something rejecting an irrelevant bit. |
(One way or another, the keyEncipherment bit doesn't make sense for EC keys and ought to be omitted.) |
Change https://golang.org/cl/214337 mentions this issue: |
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env
)?N/A
What did you do?
What did you expect to see?
What did you see instead?
Summary:
The
crypto/tls/generate_cert.go
utility should only set the templatex509.Certificate
'sKeyUsage
field to a value with thex509.KeyUsageKeyEncipherment
bits set when the certificate subject public key is an RSA public key, not an ECDSA or ED25519 public key.Presently it sets the
KeyUsage
toKeyUsageKeyEncipherment
andKeyUsageDigitalSignature
no matter what type of public key is used:go/src/crypto/tls/generate_cert.go
Line 110 in 79ccbe1
RFC 5480 describes the usage of ECDSA elliptic curve subject keys with X509. Unfortunately while Section 3 "Key Usages Bits" indicates which key usage bits MAY be used with a certificate that indicates
id-ecPublicKey
in theSubjectPublicKeyInfo
field it doesn't provide guidance on which usages should not be included (e.g. thekeyEncipherment
bit, which is particular to RSA key exchange). The same problem is present in RFC 8410 Section 5 describing Key Usage Bits for ED25519 elliptic curve subject keys.There's an update to RFC 5480 in last call stage within the IETF LAMPS WG, draft-ietf-lamps-5480-ku-clarifications-00. This update is meant to clarify the allowed Key Usages extension values for certificates with ECDSA subject public keys by adding:
I don't believe there is an update for RFC 8410 in the works but I suspect it will be clarified similarly in the future (I will follow up with the LAMPS WG).
The current behaviour of
generate_cert.go
won't comply with the updated RFC 5480 requirement.The text was updated successfully, but these errors were encountered: