release-2.1: security: relax checks on certificate fields. #29223
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fixes cockroachdb#29185. Remove all checks on certificate KeyUsage and ExtendedKeyUsage. These have historically been so badly misused that Go does not even check them. Per the blurb in [x509/verify.go](https://github.com/golang/go/blob/master/src/crypto/x509/verify.go#L676): ``` // KeyUsage status flags are ignored. From Engineering Security, Peter // Gutmann: A European government CA marked its signing certificates as // being valid for encryption only, but no-one noticed. Another // European CA marked its signature keys as not being valid for // signatures. A different CA marked its own trusted root certificate // as being invalid for certificate signing. Another national CA // distributed a certificate to be used to encrypt data for the // country’s tax authority that was marked as only being usable for // digital signatures but not for encryption. Yet another CA reversed // the order of the bit flags in the keyUsage due to confusion over // encoding endianness, essentially setting a random keyUsage in // certificates that it issued. Another CA created a self-invalidating // certificate by adding a certificate policy statement stipulating // that the certificate had to be used strictly as specified in the // keyUsage, and a keyUsage containing a flag indicating that the RSA // encryption key could only be used for Diffie-Hellman key agreement. ``` Running cockroach (client/server) with absolutely no Key Usages works just fine. Release note (general change): remove checks on certificate key usages.
|
This change is |
|
bors r+ |
Build failed |
|
bors r+ |
craig bot
pushed a commit
that referenced
this pull request
Aug 29, 2018
29223: release-2.1: security: relax checks on certificate fields. r=mberhault a=mberhault Backport 1/1 commits from #29193. /cc @cockroachdb/release --- Fixes #29185. Remove all checks on certificate KeyUsage and ExtendedKeyUsage. These have historically been so badly misused that Go does not even check them. Per the blurb in [x509/verify.go](https://github.com/golang/go/blob/master/src/crypto/x509/verify.go#L676): ``` // KeyUsage status flags are ignored. From Engineering Security, Peter // Gutmann: A European government CA marked its signing certificates as // being valid for encryption only, but no-one noticed. Another // European CA marked its signature keys as not being valid for // signatures. A different CA marked its own trusted root certificate // as being invalid for certificate signing. Another national CA // distributed a certificate to be used to encrypt data for the // country’s tax authority that was marked as only being usable for // digital signatures but not for encryption. Yet another CA reversed // the order of the bit flags in the keyUsage due to confusion over // encoding endianness, essentially setting a random keyUsage in // certificates that it issued. Another CA created a self-invalidating // certificate by adding a certificate policy statement stipulating // that the certificate had to be used strictly as specified in the // keyUsage, and a keyUsage containing a flag indicating that the RSA // encryption key could only be used for Diffie-Hellman key agreement. ``` Running cockroach (client/server) with absolutely no Key Usages works just fine. Release note (general change): remove checks on certificate key usages. Co-authored-by: marc <marc@cockroachlabs.com>
Build succeeded |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport 1/1 commits from #29193.
/cc @cockroachdb/release
Fixes #29185.
Remove all checks on certificate KeyUsage and ExtendedKeyUsage.
These have historically been so badly misused that Go does not even
check them. Per the blurb in
x509/verify.go:
Running cockroach (client/server) with absolutely no Key Usages works
just fine.
Release note (general change): remove checks on certificate key usages.