-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
public_key:pkix_path_validation/3
allows duplicate root certificate
#6394
Comments
6.1. Basic Path Validation (of that same RFC) you can also find the following.
Now, it might not make sense to just duplicate the root cert but because of the above, I think it will not be detected. The question is if this causes some actual problem?! |
My bad I quoted the wrong part of the RFC, the relevant part is just below:
Therefore the current OTP implementation unfortunately is not perfectly conformant with RFC5280. I came upon this issue while implementing WebAuthn (see this issue related to the WebAuthn test suite). I had to write code to bypass this issue, which could be error prone and could have negative security consequences. However I don't know why this restriction was set in the first place and if that's a security issue (except for people bypassing it incorrectly). |
Well the ROOT-CA should not be part of the path to be validated at all. But maybe this could happen in the middle of the chain too?! I can only see that it is a problem for self-signed certs, we can look into making public_key verify this property. |
…_certs/GH-6394/OTP-18723 public_key: Add check for duplicate certificates
Describe the bug
public_key:pkix_path_validation/3
returns{ok, _}
when the second argument contains duplicate root certificates, but should return an error according to RFC5280 - 6.1. Basic Path Validation:To Reproduce
Using for instance the Elixir
X509
library:Expected behavior
An
{error, _}
error should be returned.Affected versions
OTP25.1.2 at least
Additional context
Not sure if this is a bug. The WebAuthn/FIDO2 test suite has tests that fail with OTP because of this.
The text was updated successfully, but these errors were encountered: