WiP: x590_vfy.c: (Re-)check that the root of the constructed cert chain is directly trusted #13770
Conversation
DDvO
changed the title
DDvO
changed the title
DDvO
force-pushed
the
internal_verify_check_trust
branch
from
1da5865
to
92c4576
Compare
crypto/x509/x509_vfy.c
Outdated
| /* Make sure that the root of the chain is trusted */ | ||
| CB_FAIL_IF(!X509_check_trust(xi, ctx->param->trust, ctx->param->flags), | ||
| /* Make sure that the root of the chain is directly trusted */ | ||
| CB_FAIL_IF(!directly_trusted(ctx, xi), |
There was a problem hiding this comment.
Sorry, on balance I think this PR should be abandoned. The internal_verify() function is not the right place to second-guess the trust-path construction. Its job is solely to check chain integrity (signatures and dates).
There was a problem hiding this comment.
As meanwhile discussed at #13780 (comment) the internal_verify() function is not the right/best place to add the intended check, so I've disabled it there for now.
Yet where else to place it then?
There was a problem hiding this comment.
As meanwhile discussed at #13780 (comment) the
internal_verify()function is not the right/best place to add the intended check, so I've disabled it there for now.
Yet where else to place it then?
Nowhere that comes to mind. Hence the suggestion to drop this PR.
There was a problem hiding this comment.
I meanwhile think that the check is best done just before calling internal_verify(), in verify_chain().
There was a problem hiding this comment.
I don't see how that solves my fundamental objection that the context for making decisions is no longer available, and we just need to make sure that the build_chain code is correct.
DDvO
changed the title
DDvO
force-pushed
the
internal_verify_check_trust
branch
from
95ff73d
to
68cdf2a
Compare
DDvO
changed the title
|
I've adapted and rebased this PR, moving out the rather unrelated renaming of |
DDvO
force-pushed
the
internal_verify_check_trust
branch
from
68cdf2a
to
57a337d
Compare
|
I'm placing on OTC hold on this PR. I don't think it should be merged, but if there's a consensus around a sound way forward, I'm willing to reconsider my objections. If you decide to just close this instead, that'd be fine too. |
|
This PR is in a state where it requires action by @openssl/otc but the last update was 30 days ago |
|
This PR is in a state where it requires action by @openssl/otc but the last update was 61 days ago |
|
This PR is in a state where it requires action by @openssl/otc but the last update was 92 days ago |
DDvO
force-pushed
the
internal_verify_check_trust
branch
3 times, most recently
from
a1547d3
to
ae1dcdc
Compare
| @@ -131,7 +131,7 @@ static int lookup_cert_match(X509 **result, X509_STORE_CTX *ctx, X509 *x) | |||
| xtmp = NULL; | |||
| } | |||
| ret = xtmp != NULL; | |||
| if (ret) { | |||
| if (ret && result != NULL) { | |||
There was a problem hiding this comment.
This change is not needed, or is not what you had in mind. The result output parameter (pointer) is never NULL, we'd have crashed at *result = NULL on line 119 if it were.
There was a problem hiding this comment.
Oh, right! Fixed that.
Also added a comment on the use of result:
* If result is not NULL, on success *result will hold the up-ref'd found cert.
The idea is that the function can now also be used as follows:
static int directly_trusted(X509_STORE_CTX *ctx, X509 *cert)
{
return X509_check_trust(cert, ctx->param->trust,
ctx->param->flags) != X509_TRUST_REJECTED
&& lookup_cert_match(NULL, ctx, cert) != 0;
}
| @@ -224,6 +231,15 @@ static int verify_chain(X509_STORE_CTX *ctx) | |||
| ctx->param->flags); | |||
| CB_FAIL_IF(err != X509_V_OK, ctx, NULL, ctx->error_depth, err); | |||
|
|
|||
| /* In the non-DANE case (re-)check direct trust in the root of the chain */ | |||
There was a problem hiding this comment.
The DANE case can be more strict than non-DANE when the matched TLSA record is PKIX-TA(0) or PKIX-EE(1) so such a check would need to also happen in that case (and not with DANE-TA(2)/DANE-EE(3)). BUT: I think this PR is not warranted. Test coverage should ensure that build chains correctly, and I don't see much point in doing duplicate work at runtime.
There was a problem hiding this comment.
Well, I suggest postponing the further handling of this PR including the fundamental discussion to post-3.0.
I just rebased this PR (and others) recently in order to fix merge conflicts before more such conflicts pile up.
…n-DANE Forms a safety-net making verification independendent of the chain building algorithm.
DDvO
force-pushed
the
internal_verify_check_trust
branch
from
ae1dcdc
to
87d7b4b
Compare
|
At this point I don't see any remaining substantial bugs, but still question the need for this PR. The minor issues are:
|
|
OTC: We see no need for this PR. |
|
Did you intend to close this?
|
Yes, it was intentionally closed by OTC after a discussion on the meeting. |
|
Clearly I need to read better.
|
I think it would be good as a security precaution to
make
internal_verify()verify_chain()(re-)check the trust placed in the last element of the chain being verified (i.e., its trust anchor),such that the correctness of chain verification becomes independent of the checks done during chain building.