Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/x509: check the Key Usage extension #40100

Open
FiloSottile opened this issue Jul 7, 2020 · 6 comments
Open

crypto/x509: check the Key Usage extension #40100

FiloSottile opened this issue Jul 7, 2020 · 6 comments
Labels
NeedsFix The path to resolution is known, but the work has not been done.
Milestone
Backlog

Comments

@FiloSottile
Copy link
Contributor

We currently ignore the Key Usage extension because some old roots had gotten it wrong. Things probably improved by now and we can take a stab at following the spec again. AFAIK other verifiers do check them.
@FiloSottile FiloSottile added the NeedsFix The path to resolution is known, but the work has not been done. label Jul 7, 2020
@FiloSottile FiloSottile added this to the Go1.16 milestone Jul 7, 2020
@gopherbot
Copy link
Contributor

Change https://golang.org/cl/246877 mentions this issue: crypto: check the Key Usage extension

@SparrowLii
Copy link
Contributor

I searched the crypto pkg and found there are two functions in crypto which relate to KU extension checking:
CheckSignature(x509.go 823) and verifyHandshakeSignature(auth.go 22). But it seems hard to check the KU inside the func body. I think maybe we can check KU before use one PublicKey.

@ottosulin
Copy link

ottosulin commented Jan 23, 2021
edited
Loading

KU extensions can also be checked with the Verify method available for certificates. If you are considering rewriting KU extension checking I suggest you also take a look at this:
https://go.googlesource.com/go/+/go1.15.6/src/crypto/x509/verify.go#803

I think the method makes a bit too straightforward assumption about KUs if the opts.KeyUsages is left empty. I'm not sure if it would be better to then assume that no usage is ok or to get the acceptable KUs from the cert chain.

@odeke-em
Copy link
Member

odeke-em commented Feb 5, 2021

Thanks everyone for the interaction. Not much action during Go1.16, thus I'll punt to Go1.17, and I'll kindly tag you @FiloSottile @katiehockman @rolandshoemaker to help review @SparrowLii's CL from #40100 (comment)

@odeke-em odeke-em modified the milestones: Go1.16, Go1.17 Feb 5, 2021
@ianlancetaylor
Copy link
Member

Is anything going to happen here for 1.17? Thanks.

@dmitshur
Copy link
Contributor

Moving to Backlog since it doesn't appear someone is actively working on getting this into 1.17, and it can wait. Please update this issue if needed.

@dmitshur dmitshur modified the milestones: Go1.17, Backlog May 21, 2021
@woodruffw woodruffw mentioned this issue Jul 1, 2023
Closed
24 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NeedsFix The path to resolution is known, but the work has not been done.
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
7 participants
@FiloSottile @dmitshur @ianlancetaylor @odeke-em @ottosulin @gopherbot @SparrowLii