Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/crypto/x509roots: "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1" should be constrained #61963

Closed
FiloSottile opened this issue Aug 11, 2023 · 3 comments
Labels
NeedsFix The path to resolution is known, but the work has not been done. Security
Milestone

Comments

@FiloSottile
Copy link
Contributor

The root with CN TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1 has Mozilla Applied Constraints of *.tr in the https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReportPEMCSV report, but appears unconstrained in the fallback bundle.

/cc @rolandshoemaker

@gopherbot gopherbot added this to the Unreleased milestone Aug 11, 2023
@rolandshoemaker
Copy link
Member

Assuming this constraint is an additional Mozilla one, we need https://go.dev/issue/57178 to enforce it (in the meantime perhaps we should not be including it in the bundle).

@mknyszek mknyszek added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Aug 11, 2023
@rolandshoemaker
Copy link
Member

It turns out that Mozilla doesn't fully encode trust decision information in certdata.txt, per https://wiki.mozilla.org/CA/Included_Certificates:

If you are embedding our root store, you need to know that we have imposed some restrictions on certain CAs or certificates which are not encoded in certdata.txt. These are documented on a best-efforts basis.

I was partially aware of this, i.e. with regard to the Symantec CT restrictions, but I wasn't aware the additional name constraints were also part of this. It turns out that the only additional name constraint is for this specific root.

We could conceivably also consume https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReportPEMCSV to add these additional constraints, but the "Mozilla Applied Constraints" field here is not explicitly documented anywhere (as far as I can tell), so assuming it will always be a single name (or that it'll be a name at all and not something entirely different) is perhaps a pitfall.

We could manually encode this particular restriction, not in the certdata parser itself, but in the root bundle generator. But that is also fragile.

@rolandshoemaker rolandshoemaker added NeedsDecision Feedback is required from experts, contributors, and/or the community before a change can be made. and removed NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. labels Oct 18, 2023
@gopherbot
Copy link

Change https://go.dev/cl/562475 mentions this issue: x509roots: manually exclude a confusingly constrained root

@dmitshur dmitshur added NeedsFix The path to resolution is known, but the work has not been done. and removed NeedsDecision Feedback is required from experts, contributors, and/or the community before a change can be made. labels Feb 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
NeedsFix The path to resolution is known, but the work has not been done. Security
Projects
None yet
Development

No branches or pull requests

5 participants