For those who are interested, in contrast to the direct EKU validation with Test-Certificate, certutil does validate the OCSP signing EKU on the delegated OCSP signing certificate but doesn't validate the certificate chain for the OCSP signing EKU.
Full test script and output can be found here: https://gist.github.com/vanbroup/84859cd10479ed95c64abe6fcdbdf83d On Thu, 2 Jul 2020 at 20:42, Paul van Brouwershaven < p...@vanbrouwershaven.com> wrote: > When validating the EKU using `Test-Certificate` Windows states it's > invalid, but when using `certutil` it's accepted or not explicitly checked. > https://gist.github.com/vanbroup/64760f1dba5894aa001b7222847f7eef > > When/if I have time I will try to do some further tests with a custom > setup to see if the EKU is validated at all. > > On Thu, 2 Jul 2020 at 19:26, Ryan Sleevi <r...@sleevi.com> wrote: > >> >> >> On Thu, Jul 2, 2020 at 1:15 PM Paul van Brouwershaven < >> p...@vanbrouwershaven.com> wrote: >> >>> That's not correct, and is similar to the mistake I >>>> originally/previously made, and was thankfully corrected on, which also >>>> highlighted the security-relevant nature of it. I encourage you to give >>>> another pass at Robin's excellent write-up, at >>>> https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/XQd3rNF4yOo/bXYjt1mZAwAJ >>>> >>> >>> Thanks, it's an interesting thread, but as shown above, Windows does >>> validate the EKU chain, but doesn't look to validate it for delegated OCSP >>> signing certificates? >>> >> >> The problem is providing the EKU as you're doing, which forces chain >> validation of the EKU, as opposed to validating the OCSP response, which >> does not. >> >> A more appropriate test is to install the test root R as a locally >> trusted CA, issue an intermediate I (without the EKU/only >> id-kp-serverAuth), issue an OCSP responder O (with the EKU), and issue a >> leaf cert L. You can then validate the OCSP response from the responder >> cert (that is, an OCSP response signed by the chain O-I-R) for the >> certificate L-I-R. >> > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
