[Buildroot] [PATCH 1/3] package/mbedtls: add BR2_PACKAGE_MBEDTLS_X509_UNSUPPORTED_CRITICAL_EXTENSION

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Yann E. MORIN <yann.morin.1998@free.fr>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH 1/3] package/mbedtls: add BR2_PACKAGE_MBEDTLS_X509_UNSUPPORTED_CRITICAL_EXTENSION
Date: Fri, 24 Apr 2020 13:45:59 +0200	[thread overview]
Message-ID: <20200424114559.GG5035@scaer> (raw)
In-Reply-To: <20200424112639.xdzs4ggqtijcij74@einstein.dilieto.eu>

On 2020-04-24 13:26 +0200, Nicola Di Lieto spake thusly:
> On Fri, Apr 24, 2020 at 11:07:10AM +0200, Yann E. MORIN wrote:
> > - an X.509 parser that encounters an extension marked 'critical' when
> >   parsing a certificate, and that does not recognise that extension,
> >   *must* reject that certificate.
> >
> 
> I wouldn't be so sure that it must be done at parsing stage though.

Well, "parsing" is maybe not the correct word, but as far as I
understand wikipedia on X.209 [0]:

    A certificate-using system must reject the certificate if it
    encounters a critical extension that it does not recognize,
    or a critical extension that contains information that it cannot
    process.

[0] https://en.wikipedia.org/wiki/X.509#Structure_of_a_certificate

So, as mbedtls does not know what to do with such a critical extension,
allowing it to just ignore it is a violation of the X.509 spec.

>  OpenSSL
> and GnuTLS parse the certificate without problems and then fail at
> validation stage.  OpenSSL even has a "-ignore_critical" command line switch
> to ignore critical extensions:
> 
> https://man.openbsd.org/openssl.1#ignore_critical

But that is different: this is a command line argument, which is
obviously not the default. Enabling X509_UNSUPPORTED_CRITICAL_EXTENSION
will make that the default behaviour, which is unsound.

Regards,
Yann E. MORIN.

> I honestly think the approach of mbedTLS to critical extensions is blunt to
> say the least.  And just as a side note, mbedTLS *will* still happily
> generate, sign and export a certificate with an unsupported critical
> extension, even when it's built without that damn feature.  Don't ask me how
> I know...  if you don't believe me, look at
> mbedtls_x509write_crt_set_extension, called on line 1167 in ualpn.c
> 
> >
> >I think we should refuse to use mbedtls with uacme.
> 
> I agree, at least until mbedTLS changes its approach.
> 
> Regards
> Nicola

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

     prev parent reply	other threads:[~2020-04-24 11:45 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-04-22 19:20 [Buildroot] [PATCH 1/3] package/mbedtls: add BR2_PACKAGE_MBEDTLS_X509_UNSUPPORTED_CRITICAL_EXTENSION Fabrice Fontaine
2020-04-22 19:20 ` [Buildroot] [PATCH 2/3] package/uacme: allow selection of crypto backend Fabrice Fontaine
2020-04-22 19:20 ` [Buildroot] [PATCH 3/3] package/uacme: ualpn needs X509 unsupported critical extension support Fabrice Fontaine
2020-04-23 20:09 ` [Buildroot] [PATCH 1/3] package/mbedtls: add BR2_PACKAGE_MBEDTLS_X509_UNSUPPORTED_CRITICAL_EXTENSION Thomas Petazzoni
2020-04-23 20:27   ` Yann E. MORIN
2020-04-23 20:49     ` Thomas Petazzoni
2020-04-23 23:27   ` Nicola Di Lieto
2020-04-24  9:07     ` Yann E. MORIN
2020-04-24 11:26       ` Nicola Di Lieto
2020-04-24 11:32         ` Nicola Di Lieto
2020-04-24 11:48           ` Yann E. MORIN
2020-04-24 13:11             ` Nicola Di Lieto
2020-04-24 13:20               ` Fabrice Fontaine
2020-04-24 13:21                 ` Thomas Petazzoni
2020-04-24 14:01                   ` Fabrice Fontaine
2020-04-24 11:45         ` Yann E. MORIN [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200424114559.GG5035@scaer \
    --to=yann.morin.1998@free.fr \
    --cc=buildroot@busybox.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.