-
Notifications
You must be signed in to change notification settings - Fork 17.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto/x509: Certificate.Verify method seemingly ignoring EKU requirements on Windows #39360
Labels
Milestone
Comments
dmitshur
changed the title
crypto/x509.Certificate: Verify function seemingly ignoring EKU requirements on Windows
crypto/x509: Certificate.Verify method seemingly ignoring EKU requirements on Windows
Jun 2, 2020
dmitshur
added
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
OS-Windows
labels
Jun 2, 2020
Change https://golang.org/cl/242597 mentions this issue: |
dmitshur
added
NeedsFix
The path to resolution is known, but the work has not been done.
and removed
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
labels
Jul 14, 2020
gopherbot
pushed a commit
that referenced
this issue
Jul 14, 2020
…eyUsages on Windows When using the platform verifier on Windows (because Roots is nil) we were always enforcing server auth EKUs if DNSName was set, and none otherwise. If an application was setting KeyUsages, they were not being respected. Started correctly surfacing IncompatibleUsage errors from the system verifier, as those are the ones applications will see if they are affected by this change. Also refactored verify_test.go to make it easier to add tests for this, and replaced the EKULeaf chain with a new one that doesn't have a SHA-1 signature. Thanks to Niall Newman for reporting this. Fixes #39360 Fixes CVE-2020-14039 Change-Id: If5c00d615f2944f7d57007891aae1307f9571c32 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/774414 Reviewed-by: Katie Hockman <katiehockman@google.com> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/793509 Reviewed-by: Filippo Valsorda <valsorda@google.com>
bflad
added a commit
to hashicorp/terraform-provider-aws
that referenced
this issue
Jul 14, 2020
gopherbot
pushed a commit
that referenced
this issue
Jul 14, 2020
…eyUsages on Windows When using the platform verifier on Windows (because Roots is nil) we were always enforcing server auth EKUs if DNSName was set, and none otherwise. If an application was setting KeyUsages, they were not being respected. Started correctly surfacing IncompatibleUsage errors from the system verifier, as those are the ones applications will see if they are affected by this change. Also refactored verify_test.go to make it easier to add tests for this, and replaced the EKULeaf chain with a new one that doesn't have a SHA-1 signature. Thanks to Niall Newman for reporting this. Fixes #39360 Fixes CVE-2020-14039 Change-Id: If5c00d615f2944f7d57007891aae1307f9571c32 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/774414 Reviewed-by: Katie Hockman <katiehockman@google.com> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/793511 Reviewed-by: Filippo Valsorda <valsorda@google.com>
bflad
added a commit
to hashicorp/terraform-provider-aws
that referenced
this issue
Jul 14, 2020
For future reference, here is the giant crt.sh query I used to find a test case that had EKUs on the leaf but not on the chain.
|
Closed
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
When validating an x509 certificate, the KeyUsages value appears to be ignored on Windows.
What did you expect to see?
Certificate validation fail if the certificate chain does not meet the EKU requirements specified in VerifyOptions.
What did you see instead?
The certificate validates successfully despite not meeting the requirements.
I am not sure if this is intended behaviour though, due to the code here: https://golang.org/src/crypto/x509/verify.go?#L749
If the OS is Windows, validation is passed off to the system APIs and the result of that call is returned, meaning the EKU checks at the bottom of the Verify function are never hit.
Following the Windows specific code path, the KeyUsages value of VerifyOptions is not referenced as far as I can see.
I may be missing something here but it seems odd that this field would be ignored only on Windows without there being a note in the documentation.
The text was updated successfully, but these errors were encountered: