crypto/x509: potentially anomalous path building results #65085
Comments
seankhliao
added
Security
NeedsInvestigation
|
cc @golang/security |
|
Change https://go.dev/cl/561615 mentions this issue: |
|
@woodruffw it looks like the anomalous findings page has disappeared, are those still recorded somewhere? |
My apologies for that -- it looks like our CI hiccuped somewhere and didn't render the latest Go results. I'll look into that now. |
|
Sorry again for that! We've fixed it with C2SP/x509-limbo#193, and the render is here: https://x509-limbo.com/anomalous-results/gocryptox509-go1.21.6/ (NB the URL has changed slightly, since we've gone from |
|
Perfect, thanks for the (extremely) quick fix! |
|
Ignoring the CABF stuff, did some quick searching for publicly trusted certificates that exhibit the various issues. This is how many certificates I found, listed from least to most, with comments where applicable: |
|
@rolandshoemaker what's the dataset this is based on, CT? |
|
I used the censys dataset, so mostly CT. |
|
Change https://go.dev/cl/562343 mentions this issue: |
|
Change https://go.dev/cl/562341 mentions this issue: |
|
Change https://go.dev/cl/562342 mentions this issue: |
|
Change https://go.dev/cl/562344 mentions this issue: |
|
Change https://go.dev/cl/562975 mentions this issue: |
|
We've added another testcase to x509-limbo that has a standout anomalous result for In particular, when a leaf certificate has a SAN with (In terms of standards justification, |
A DNS name prefixed with an empty label should be considered invalid when checking constraints (i.e. ".example.com" does not satisfy a constraint of "example.com"). Updates #65085 Change-Id: I42919dc06abedc0e242ff36b2a42b583b14857b1 Reviewed-on: https://go-review.googlesource.com/c/go/+/561615 Reviewed-by: Filippo Valsorda <filippo@golang.org> Reviewed-by: Damien Neil <dneil@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Updates #65085 Change-Id: I86d8a85130286e1ec2aca3249808ec1dc8ec97ca Reviewed-on: https://go-review.googlesource.com/c/go/+/562342 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Filippo Valsorda <filippo@golang.org> Reviewed-by: Cherry Mui <cherryyz@google.com>
Updates #65085 Change-Id: I8a00fff6b2af4e55bcb88456813b5ee1f7b1c01d Reviewed-on: https://go-review.googlesource.com/c/go/+/562344 Reviewed-by: Filippo Valsorda <filippo@golang.org> Reviewed-by: Cherry Mui <cherryyz@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Updates #65085 Change-Id: I8cc60990737d582edf4f7f85ec871f5e42f82b78 Reviewed-on: https://go-review.googlesource.com/c/go/+/562341 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Cherry Mui <cherryyz@google.com> Auto-Submit: Roland Shoemaker <roland@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org>
|
Gentle ping on this finding as well: #65085 (comment) -- I believe this one is also worthy of a patch 🙂 |
|
Thanks for the nudge, agreed this should get into the next release. |
|
Change https://go.dev/cl/585076 mentions this issue: |
Go version
go1.21.5 linux/amd64
Output of
go envin your module/workspace:What did you do?
Hi there! I'm opening this to root-cause a handful of potentially anomalous path building results with
crypto/x509, which we found with x509-limbo.First, a disclaimer: I suspect that many of the results above are expected or are non-issues from crypto/x509's perspective, since many are "pedantic" checks against a strict reading of RFC 5280. For example,
rfc5280::nc::not-allowed-in-ee-criticalis technically disallowed under RFC 5280, but all other implementations appear to broadly ignore it.There are, however, some discrepancies for which crypto/x509 is the outlier. A sampling of anomalous positives (chains built where other implementations fail):
rfc5280::aki::critical-aki: all other implementations under test reject critical AKIs; crypto/x509 accepts itrfc5280::nc::nc-permits-invalid-dns-san: crypto/x509 and OpenSSL both accept a malformed DNS SAN that conflicts with a Name Constraintrfc5280::ee-critical-aia-invalid: all other implementations reject critical AIAs; crypto/x509 accepts them (despite not supporting AIA chasing)There are also some anomalous negatives (chains that fail to build where success is expected), but crypto/x509 is largely in consensus with other implementations around them (the main outlier is OpenSSL).
What did you see happen?
The full rendering of potentially anomalous results is here: https://x509-limbo.com/anomalous-results/gocryptox509-go1.21.5/
As mentioned above, some of these are almost certainly intended behavior on crypto/x509's part as part of handling real-world chains, especially outside of the Web PKI. However, I could find a document or docstring anywhere that explicitly enumerated these (in absolute fairness, nobody does this 🙂), so I figured I would open this up for general review and consideration.
What did you expect to see?
In cases involving critical or out-of-policy extensions that crypto/x509 appears to otherwise ignore, I expected to see chain build failures rather than successes. However, see qualifications above 🙂
The text was updated successfully, but these errors were encountered: