[Buildroot] [PATCH 1/3] package/mbedtls: add BR2_PACKAGE_MBEDTLS_X509_UNSUPPORTED_CRITICAL_EXTENSION

public inbox for buildroot@busybox.net
 help / color / mirror / Atom feed

From: Yann E. MORIN <yann.morin.1998@free.fr>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH 1/3] package/mbedtls: add BR2_PACKAGE_MBEDTLS_X509_UNSUPPORTED_CRITICAL_EXTENSION
Date: Fri, 24 Apr 2020 13:45:59 +0200	[thread overview]
Message-ID: <20200424114559.GG5035@scaer> (raw)
In-Reply-To: <20200424112639.xdzs4ggqtijcij74@einstein.dilieto.eu>

On 2020-04-24 13:26 +0200, Nicola Di Lieto spake thusly:
> On Fri, Apr 24, 2020 at 11:07:10AM +0200, Yann E. MORIN wrote:
> > - an X.509 parser that encounters an extension marked 'critical' when
> >   parsing a certificate, and that does not recognise that extension,
> >   *must* reject that certificate.
> >
> 
> I wouldn't be so sure that it must be done at parsing stage though.

Well, "parsing" is maybe not the correct word, but as far as I
understand wikipedia on X.209 [0]:

    A certificate-using system must reject the certificate if it
    encounters a critical extension that it does not recognize,
    or a critical extension that contains information that it cannot
    process.

[0] https://en.wikipedia.org/wiki/X.509#Structure_of_a_certificate

So, as mbedtls does not know what to do with such a critical extension,
allowing it to just ignore it is a violation of the X.509 spec.

>  OpenSSL
> and GnuTLS parse the certificate without problems and then fail at
> validation stage.  OpenSSL even has a "-ignore_critical" command line switch
> to ignore critical extensions:
> 
> https://man.openbsd.org/openssl.1#ignore_critical

But that is different: this is a command line argument, which is
obviously not the default. Enabling X509_UNSUPPORTED_CRITICAL_EXTENSION
will make that the default behaviour, which is unsound.

Regards,
Yann E. MORIN.

> I honestly think the approach of mbedTLS to critical extensions is blunt to
> say the least.  And just as a side note, mbedTLS *will* still happily
> generate, sign and export a certificate with an unsupported critical
> extension, even when it's built without that damn feature.  Don't ask me how
> I know...  if you don't believe me, look at
> mbedtls_x509write_crt_set_extension, called on line 1167 in ualpn.c
> 
> >
> >I think we should refuse to use mbedtls with uacme.
> 
> I agree, at least until mbedTLS changes its approach.
> 
> Regards
> Nicola

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

     prev parent reply	other threads:[~2020-04-24 11:45 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-04-22 19:20 [Buildroot] [PATCH 1/3] package/mbedtls: add BR2_PACKAGE_MBEDTLS_X509_UNSUPPORTED_CRITICAL_EXTENSION Fabrice Fontaine
2020-04-22 19:20 ` [Buildroot] [PATCH 2/3] package/uacme: allow selection of crypto backend Fabrice Fontaine
2020-04-22 19:20 ` [Buildroot] [PATCH 3/3] package/uacme: ualpn needs X509 unsupported critical extension support Fabrice Fontaine
2020-04-23 20:09 ` [Buildroot] [PATCH 1/3] package/mbedtls: add BR2_PACKAGE_MBEDTLS_X509_UNSUPPORTED_CRITICAL_EXTENSION Thomas Petazzoni
2020-04-23 20:27   ` Yann E. MORIN
2020-04-23 20:49     ` Thomas Petazzoni
2020-04-23 23:27   ` Nicola Di Lieto
2020-04-24  9:07     ` Yann E. MORIN
2020-04-24 11:26       ` Nicola Di Lieto
2020-04-24 11:32         ` Nicola Di Lieto
2020-04-24 11:48           ` Yann E. MORIN
2020-04-24 13:11             ` Nicola Di Lieto
2020-04-24 13:20               ` Fabrice Fontaine
2020-04-24 13:21                 ` Thomas Petazzoni
2020-04-24 14:01                   ` Fabrice Fontaine
2020-04-24 11:45         ` Yann E. MORIN [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200424114559.GG5035@scaer \
    --to=yann.morin.1998@free.fr \
    --cc=buildroot@busybox.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox