Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

During parsing, accept v1 certificates and allow certificates without subjectAltName #219

Open
briansmith opened this issue Apr 21, 2021 · 9 comments
Open

During parsing, accept v1 certificates and allow certificates without subjectAltName #219

briansmith opened this issue Apr 21, 2021 · 9 comments

Comments

@briansmith
Copy link
Owner

Currently, constructing an EndEntityCert will fail unless the certificate is a v3 certificate with a subjectAltName extension.

Instead, the following should happen:

  • If the certificate version is the default (not explicitly encoded), then that means v1. In that case, accept the certificate as long as there are NO extensions. (Extensions are not allowed in v1 certificates.)
  • If the certificate version is v3, accept the certificate regardless of whether there are extensions.
  • If the certificate version is anything else, reject the certificate.

If/when the subject name is validated, then name validation should always fail if no name matches are found, regardless of whether there was a subjectAltName extension and regardless of the version.
@briansmith briansmith mentioned this issue Apr 21, 2021
Open
@tdyas tdyas mentioned this issue May 3, 2021
Open
@ghost ghost mentioned this issue May 12, 2021
Open
@martoko martoko mentioned this issue Aug 28, 2021
Closed
@robin-kunzler
Copy link

@briansmith : From our perspective it would be great if v3 certificates would be accepted regardless of whether they have extensions.

AFAIU, the relevant code is here. The der::nested currently returns the MissingOrMalformedExtensions error if no extension block is present.

Do you have plans to address this anytime soon?

@janimo
Copy link

janimo commented Sep 21, 2021

@robin-kunzler it seems to work for me with this small change to the code you pointed at #241

@robin-kunzler
Copy link

@janimo : Thanks a lot, this looks good to me and it works for the certificates without extensions that I would like to use. Please see a more detailed comment in the PR #241 .

@fspreiss
Copy link

@briansmith, we would like to use rustls in our project but the requirement that the dependent webpki requires v3 certificates to have extensions is a blocker. We tested our implementation with @janimo's patch and that fixes the issue for us.

Would you therefore be OK with merging #241?

If you would like to have changes to #241, we would be happy to create a respective PR.

@fspreiss
Copy link

fspreiss commented Dec 7, 2021

Would you therefore be OK with merging #241?

@briansmith, did you already have time to look at this?

Support for certificates without extensions is very important for our project. Judging from the number of 👍 on your original comment, it seem others would also be interested in this. So if there is anything that can be done to help getting this supported (e.g., adapt #241, or create an entirely different PR), please let me know. Thanks!

@briansmith
Copy link
Owner Author

Would you therefore be OK with merging #241?

@briansmith, did you already have time to look at this?

Support for certificates without extensions is very important for our project. Judging from the number of 👍 on your original comment, it seem others would also be interested in this. So if there is anything that can be done to help getting this supported (e.g., adapt #241, or create an entirely different PR), please let me know. Thanks!

Yes, I am planning to accept the PR. #248 is my current priority for this project and that work will unblock #241 and others.

@briansmith
Copy link
Owner Author

briansmith commented Dec 10, 2021
edited
Loading

Specifically, here is my plan:

  • During parsing, accept v1 certificates and v3 certificates without extensions, so that constructing the EndEntityCert succeeds instead of fails.
  • Name validation would continue to fail since name validation wouldn't find any names. Making name validation more flexible (e.g. providing an option to accept names in the subject CN) is out of scope for this issue and is tracked by other issues.
  • Verifying signatures using the public key of the certificate will succeed. In particular, this will allow people to plug in custom certificate chain building/validation while continuing to use webpki's (ring's) signature validation code. This is especially useful when trying to integrate with the operating system's verifier.
  • [Edit: added] Path building will succeed.

@porsager porsager mentioned this issue Jan 14, 2022
Closed
@bnoordhuis bnoordhuis mentioned this issue Jan 17, 2022
Closed
2 tasks
@djc djc mentioned this issue Nov 15, 2022
Closed
@fspreiss fspreiss mentioned this issue Feb 10, 2023
Closed
@blind-oracle
Copy link

@briansmith any progress on this? As far as I see it still fails and I specifically need to verify the self-signed certificate with only a common name present (no SubjectAltName). Thanks!

@fspreiss
Copy link

@blind-oracle, if your certificate is v3, then you could use the rustls/webpki fork, where this is now supported.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@briansmith @janimo @blind-oracle @fspreiss @robin-kunzler