self signed confusion - check the DN as a string -rather than the actual pub key ?

[Dirk-Willem van Gulik]

Am wondering if I am missing something. 

I was expecting crypto libraries to track the identity/DN of a signature as 
something tied to the key pair - and not to a stringified DN. So when checking 
if something is self signed - they verify if the pub key of the signing entity 
would match that of the entity signed, etc.

Recently I encountered something in the wild which suggested that at least some 
crypto libs would play a bit loose - and that this could be abused a wee bit.

So I was running some tests to see if I could fool some validation code which 
looked a bit too string based to me. I created something which was to look self 
signed - yet was not:

        LABEL="/OU=run $$/O=test stuff/L=test/ST=test/C=TT"
        openssl req -new -x509 -subj "/CN=localhost${LABEL}" -nodes -out 
fake-ca.pem -keyout fake-ca.key -set_serial 1
        openssl req -new -subj "/CN=localhost${LABEL}" -out fake-selfsign.crs 
-nodes -keyout fake-selfsign.key
        openssl x509 -req -CAkey fake-ca.key -CA fake-ca.pem -out 
fake-selfsign.pem -in fake-selfsign.crs -set_serial 2

So the result of this is a signed certificate; where the issuer and subject 
have the same DN - yet one which is not self signed (the CA is of course).

One can then run a server against it

        openssl s_server -accept 2004 -cert fake-selfsign.pem -key 
fake-selfsign.key -debug -www &

or with a chain

        openssl s_server -accept 2005 -cert fake-selfsign.pem -key 
fake-selfsign.key -debug -www -chain -CAfile fake-ca.pem &

I'd have expected the latter to give me both certs with the -showcert when 
connected to

        openssl s_client -connect 127.0.0.1:2005 -showcerts 

and both endpoints giving me a bit of grief about an unknown CA along the lines 
of :

        Verify return code: 19 (self signed certificate in certificate chain) 

and something like:

        Verify return code: 0 (ok) 

once I would give s_client a -CA_path of fake-ca.pem.  Much to my surprise I 
got:

        …
            Verify return code: 18 (self signed certificate)

Full output below in appendix A. 

Needless to say - just changing the DN by one character with

                openssl req -new -x509 -subj "/CN=Xlocalhost${LABEL}" -nodes 
-out fake-ca.pem -keyout fake-ca.key -set_serial 1

in above - causes exactly the 

        Verify return code: 19 (self signed certificate in certificate chain) 
or
        Verify return code: 0 (ok) 

behavior (depending on CAfile). See appendix B. So I am left wondering - does 
OpenSSL play too loose with comparing what signs - or am I missing something ? 
(As an aside - the code I was worried about did do its check proper - it was 
openssl which surprised me)

Thanks,

Dw.


Appendix A
----------------

beeb:~ dirkx$ openssl version
OpenSSL 1.0.0g 18 Jan 2012
beeb:~ dirkx$ openssl s_client -connect 127.0.0.1:2005 -showcerts
CONNECTED(00000003)
depth=0 CN = localhost, OU = run 65591, O = test stuff, L = test, ST = test, C 
= TT
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = localhost, OU = run 65591, O = test stuff, L = test, ST = test, C 
= TT
verify return:1
---
Certificate chain
 0 s:/CN=localhost/OU=run 65591/O=test stuff/L=test/ST=test/C=TT
   i:/CN=localhost/OU=run 65591/O=test stuff/L=test/ST=test/C=TT
-----BEGIN CERTIFICATE-----
MIICP…S==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=localhost/OU=run 65591/O=test stuff/L=test/ST=test/C=TT
issuer=/CN=localhost/OU=run 65591/O=test stuff/L=test/ST=test/C=TT
---
No client certificate CA names sent
---
SSL handshake has read 1111 bytes and written 345 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: 33AB81FD08C7768FD0964A6E7AF6D1404B89C7C21C04D1A1A28F257AA7D51697
    Session-ID-ctx: 
    Master-Key: 
C09981AEEAC86115E6B7CCFE8BC48A715644D6F7249FFAAFC1341A7EB46E8D80F5FBC00915CE259E776BF1396A2D7096
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket:
    0000 - ab f1 49 47 ed bf 0a 80-05 0d 79 bb c9 28 2f 65   ..IG......y..(/e
    0010 - 7a e8 d0 c8 c7 ce c5 41-c4 3e f8 32 2d ed 3b 5d   z......A.>.2-.;]
    0020 - cf a0 2a 9a 14 47 ed 56-9d 44 a3 13 49 07 4e 92   ..*..G.V.D..I.N.
    0030 - 69 af 18 c5 31 8e c8 39-c6 8c 9c c6 a0 4d 93 1a   i...1..9.....M..
    0040 - 04 d9 cb 36 f2 59 8c 09-33 b4 29 aa db 0f a4 ea   ...6.Y..3.).....
    0050 - 94 79 b6 89 8f b4 cc 24-34 60 ad 06 7e 18 1f c8   .y.....$4`..~...
    0060 - 2e be e2 50 a3 69 cf d0-a8 38 c6 cc 20 82 83 6e   ...P.i...8.. ..n
    0070 - 3d 0c 12 74 22 92 be a9-f6 7c 50 1b 4f 3d 57 18   =..t"....|P.O=W.
    0080 - 46 2a 55 b5 ae 1c e2 68-18 80 44 79 30 82 2b 07   F*U....h..Dy0.+.
    0090 - a0 22 d1 ce 0a 65 fc 9b-a2 0f 88 c0 76 ed f8 79   ."...e......v..y

    Compression: 1 (zlib compression)
    Start Time: 1329061325
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
^C


Appendix B
----------------

beeb:~ dirkx$ openssl version
OpenSSL 1.0.0g 18 Jan 2012
beeb:~ dirkx$ openssl s_client -connect 127.0.0.1:2005 -showcerts -CAfile 
~/Personal/random-open-source/ssl-panel/tmp/fake-ca.pem 
CONNECTED(00000003)
depth=1 CN = Xlocalhost, OU = run 67808, O = test stuff, L = test, ST = test, C 
= TT
verify return:1
depth=0 CN = localhost, OU = run 67808, O = test stuff, L = test, ST = test, C 
= TT
verify return:1
---
Certificate chain
 0 s:/CN=localhost/OU=run 67808/O=test stuff/L=test/ST=test/C=TT
   i:/CN=Xlocalhost/OU=run 67808/O=test stuff/L=test/ST=test/C=TT
-----BEGIN CERTIFICATE-----
MIICQTC..eXM=
-----END CERTIFICATE-----
 1 s:/CN=Xlocalhost/OU=run 67808/O=test stuff/L=test/ST=test/C=TT
   i:/CN=Xlocalhost/OU=run 67808/O=test stuff/L=test/ST=test/C=TT
-----BEGIN CERTIFICATE-----
MIICm..4hWw==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=localhost/OU=run 67808/O=test stuff/L=test/ST=test/C=TT
issuer=/CN=Xlocalhost/OU=run 67808/O=test stuff/L=test/ST=test/C=TT
---
No client certificate CA names sent
---
SSL handshake has read 1786 bytes and written 345 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: 63FF1C4BDA81D0643EFF527F883D0C24CDF755B144C400F25A06DF724FCE4E38
    Session-ID-ctx: 
    Master-Key: 
EF1C7F9D6F912914F8ED8A9F9BBA48731A42672D3C2C74FAC091C0566988AD4224136515002E8B872CAED1ED7DFB6CCB
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket:
    0000 - cf 79 5a a2 b8 4d 41 34-28 2a a5 3c 22 30 46 66   .yZ..MA4(*.<"0Ff
    0010 - 07 0c 83 f5 90 24 61 08-aa 30 df 4d 09 33 7f 08   .....$a..0.M.3..
    0020 - 34 6a 8f a2 c3 01 0d f0-7d 41 91 7d ef a7 7d 2f   4j......}A.}..}/
    0030 - c6 aa dd 42 3e f6 81 7d-4b ca 63 54 11 23 ca c2   ...B>..}K.cT.#..
    0040 - b0 70 78 54 af 8f 76 ff-0b 1c 47 1b 5f b4 aa af   .pxT..v...G._...
    0050 - 5c 0b d0 a5 d6 d8 47 11-9a fe 23 13 a1 37 5b 0d   \.....G...#..7[.
    0060 - 95 bf 6d f3 41 0c ab 20-3d 9b 23 91 63 8c e1 c1   ..m.A.. =.#.c...
    0070 - 1b d1 06 8d d0 ac 72 0d-c3 7f c2 f2 c1 21 eb c9   ......r......!..
    0080 - 44 d6 46 84 a6 89 39 2a-e5 f5 1b 13 47 46 bb d8   D.F...9*....GF..
    0090 - f9 e8 c1 95 ab 9b 58 55-5c 56 9c ae 6c 81 c6 16   ......XU\V..l...

    Compression: 1 (zlib compression)
    Start Time: 1329062026
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org