[cabfpub] Mozilla SHA-1 further restrictions
Erwann.Abalea at docusign.com
Fri Nov 18 16:19:21 UTC 2016
Le 18 nov. 2016 à 14:56, Gervase Markham <gerv at mozilla.org<mailto:gerv at mozilla.org>> a écrit :
On 17/11/16 18:41, Erwann Abalea wrote:
Another valid chain:
RootCA (subject: "C=UT, O=PerfectCA, CN=Root")
-> OnlineCA (subject: "C=UT, O=PerfectCA, CN=Online", pathLen=0)
-> OnlineCA (subject: "C=UT, O=PerfectCA, CN=Online", pathLen=0) <= this is the self-issued cert, same name
Having a pathLen=0 doesn’t forbid you from creating a CA
certificate, it only forbids you from creating a CA certificate
for a different CA. This is defined in X.509 and repeated in RFC5280.
This behaviour is supported by OpenSSL, probably by Microsoft
(haven’t checked), I guess by Mozilla libPKIX but not Mozilla::pkix
(just quickly read the source).
So an attacker can effectively leverage a SHA-1 collision into a cert
which is equivalent to the issuing intermediate but for which they
control the private key?
RFC5280 section 188.8.131.52 Basic Constraints:
The pathLenConstraint field is meaningful only if the cA boolean is
asserted and the key usage extension, if present, asserts the
keyCertSign bit (Section 184.108.40.206). In this case, it gives the
maximum number of non-self-issued intermediate certificates that may
follow this certificate in a valid certification path.
And this is taken into account in section 6.1 presenting the validation algorithm.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public