From: Yann E. MORIN <yann.morin.1998@free.fr>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH 1/3] package/mbedtls: add BR2_PACKAGE_MBEDTLS_X509_UNSUPPORTED_CRITICAL_EXTENSION
Date: Fri, 24 Apr 2020 11:07:10 +0200 [thread overview]
Message-ID: <20200424090710.GA5035@scaer> (raw)
In-Reply-To: <20200423232758.zwos3e5f55pz23ld@einstein.dilieto.eu>
Nicola, Fabrice, Thomas, All,
On 2020-04-24 01:27 +0200, Nicola Di Lieto spake thusly:
> On Thu, Apr 23, 2020 at 10:09:05PM +0200, Thomas Petazzoni wrote:
> >What is this X509_UNSUPPORTED_CRITICAL_EXTENSION functionality that is
> >so weird that it requires patching the mbedtls config.h file ? Why is
> >uacme absolutely requiring this functionality that no other user of
> >mbedtls requires ?
>
> There is an explanation at
> https://github.com/ndilieto/uacme/issues/23
>
> Briefly, tls-alpn-01 validation requires (as per RFC8737 section 6.1) a new
> critical certificate extension. mbedTLS doesn't know about it and refuses to
> parse any certificate with such extension unless that build feature is
> enabled.
So, I think I now wrapped my head around this issue, and I think I got
it. Here's what I understood from the different resources [0] [1]:
- in X.509, some extensions can be added to certificates
- an extension can be marked as 'critical' or 'not critical'
- an X.509 parser that encounters an extension marked 'critical' when
parsing a certificate, and that does not recognise that extension,
*must* reject that certificate.
mbedtls does the right thing here: it rejects such certificates.
However, embedtls has an option to treat thoe 'critical' extensions as
if they were 'not critical'.
I think we should refuse to use mbedtls with uacme.
[0] https://en.wikipedia.org/wiki/X.509
[1] https://github.com/ndilieto/uacme/issues/23
Regards,
Yann E. MORIN.
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
next prev parent reply other threads:[~2020-04-24 9:07 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-22 19:20 [Buildroot] [PATCH 1/3] package/mbedtls: add BR2_PACKAGE_MBEDTLS_X509_UNSUPPORTED_CRITICAL_EXTENSION Fabrice Fontaine
2020-04-22 19:20 ` [Buildroot] [PATCH 2/3] package/uacme: allow selection of crypto backend Fabrice Fontaine
2020-04-22 19:20 ` [Buildroot] [PATCH 3/3] package/uacme: ualpn needs X509 unsupported critical extension support Fabrice Fontaine
2020-04-23 20:09 ` [Buildroot] [PATCH 1/3] package/mbedtls: add BR2_PACKAGE_MBEDTLS_X509_UNSUPPORTED_CRITICAL_EXTENSION Thomas Petazzoni
2020-04-23 20:27 ` Yann E. MORIN
2020-04-23 20:49 ` Thomas Petazzoni
2020-04-23 23:27 ` Nicola Di Lieto
2020-04-24 9:07 ` Yann E. MORIN [this message]
2020-04-24 11:26 ` Nicola Di Lieto
2020-04-24 11:32 ` Nicola Di Lieto
2020-04-24 11:48 ` Yann E. MORIN
2020-04-24 13:11 ` Nicola Di Lieto
2020-04-24 13:20 ` Fabrice Fontaine
2020-04-24 13:21 ` Thomas Petazzoni
2020-04-24 14:01 ` Fabrice Fontaine
2020-04-24 11:45 ` Yann E. MORIN
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200424090710.GA5035@scaer \
--to=yann.morin.1998@free.fr \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.