[cabfpub] Mozilla SHA-1 further restrictions

Erwann Abalea Erwann.Abalea at docusign.com
Fri Nov 18 16:19:21 UTC 2016


Le 18 nov. 2016 à 14:56, Gervase Markham <gerv at mozilla.org<mailto:gerv at mozilla.org>> a écrit :

On 17/11/16 18:41, Erwann Abalea wrote:
Another valid chain:
RootCA (subject: "C=UT, O=PerfectCA, CN=Root")
 -> OnlineCA (subject: "C=UT, O=PerfectCA, CN=Online", pathLen=0)
   -> OnlineCA (subject: "C=UT, O=PerfectCA, CN=Online", pathLen=0) <= this is the self-issued cert, same name
     -> EE

Having a pathLen=0 doesn’t forbid you from creating a CA
certificate, it only forbids you from creating a CA certificate
for a different CA. This is defined in X.509 and repeated in RFC5280.
This behaviour is supported by OpenSSL, probably by Microsoft
(haven’t checked), I guess by Mozilla libPKIX but not Mozilla::pkix
(just quickly read the source).

Well, %$£&*.

So an attacker can effectively leverage a SHA-1 collision into a cert
which is equivalent to the issuing intermediate but for which they
control the private key?

Yes.

RFC5280 section 4.2.1.9 Basic Constraints:
…
   The pathLenConstraint field is meaningful only if the cA boolean is
   asserted and the key usage extension, if present, asserts the
   keyCertSign bit (Section 4.2.1.3).  In this case, it gives the
   maximum number of non-self-issued intermediate certificates that may
   follow this certificate in a valid certification path.


And this is taken into account in section 6.1 presenting the validation algorithm.


Cordialement,
Erwann Abalea

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161118/e800d1cb/attachment-0003.html>


More information about the Public mailing list