From: Yann E. MORIN <yann.morin.1998@free.fr>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH 1/3] package/mbedtls: add BR2_PACKAGE_MBEDTLS_X509_UNSUPPORTED_CRITICAL_EXTENSION
Date: Fri, 24 Apr 2020 11:07:10 +0200 [thread overview]
Message-ID: <20200424090710.GA5035@scaer> (raw)
In-Reply-To: <20200423232758.zwos3e5f55pz23ld@einstein.dilieto.eu>
Nicola, Fabrice, Thomas, All,
On 2020-04-24 01:27 +0200, Nicola Di Lieto spake thusly:
> On Thu, Apr 23, 2020 at 10:09:05PM +0200, Thomas Petazzoni wrote:
> >What is this X509_UNSUPPORTED_CRITICAL_EXTENSION functionality that is
> >so weird that it requires patching the mbedtls config.h file ? Why is
> >uacme absolutely requiring this functionality that no other user of
> >mbedtls requires ?
>
> There is an explanation at
> https://github.com/ndilieto/uacme/issues/23
>
> Briefly, tls-alpn-01 validation requires (as per RFC8737 section 6.1) a new
> critical certificate extension. mbedTLS doesn't know about it and refuses to
> parse any certificate with such extension unless that build feature is
> enabled.
So, I think I now wrapped my head around this issue, and I think I got
it. Here's what I understood from the different resources [0] [1]:
- in X.509, some extensions can be added to certificates
- an extension can be marked as 'critical' or 'not critical'
- an X.509 parser that encounters an extension marked 'critical' when
parsing a certificate, and that does not recognise that extension,
*must* reject that certificate.
mbedtls does the right thing here: it rejects such certificates.
However, embedtls has an option to treat thoe 'critical' extensions as
if they were 'not critical'.
I think we should refuse to use mbedtls with uacme.
[0] https://en.wikipedia.org/wiki/X.509
[1] https://github.com/ndilieto/uacme/issues/23
Regards,
Yann E. MORIN.
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
next prev parent reply other threads:[~2020-04-24 9:07 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-22 19:20 [Buildroot] [PATCH 1/3] package/mbedtls: add BR2_PACKAGE_MBEDTLS_X509_UNSUPPORTED_CRITICAL_EXTENSION Fabrice Fontaine
2020-04-22 19:20 ` [Buildroot] [PATCH 2/3] package/uacme: allow selection of crypto backend Fabrice Fontaine
2020-04-22 19:20 ` [Buildroot] [PATCH 3/3] package/uacme: ualpn needs X509 unsupported critical extension support Fabrice Fontaine
2020-04-23 20:09 ` [Buildroot] [PATCH 1/3] package/mbedtls: add BR2_PACKAGE_MBEDTLS_X509_UNSUPPORTED_CRITICAL_EXTENSION Thomas Petazzoni
2020-04-23 20:27 ` Yann E. MORIN
2020-04-23 20:49 ` Thomas Petazzoni
2020-04-23 23:27 ` Nicola Di Lieto
2020-04-24 9:07 ` Yann E. MORIN [this message]
2020-04-24 11:26 ` Nicola Di Lieto
2020-04-24 11:32 ` Nicola Di Lieto
2020-04-24 11:48 ` Yann E. MORIN
2020-04-24 13:11 ` Nicola Di Lieto
2020-04-24 13:20 ` Fabrice Fontaine
2020-04-24 13:21 ` Thomas Petazzoni
2020-04-24 14:01 ` Fabrice Fontaine
2020-04-24 11:45 ` Yann E. MORIN
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200424090710.GA5035@scaer \
--to=yann.morin.1998@free.fr \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox