Based on yesterdays post (DN of issuer and DN of subject seemed to be compared string fashion) - we dove a bit deeper in a specific case where folks seemed to be able to bypass/fool the security of an internet chat app and found the following with a cert signed by a CA cert (each cert has its own differing key pair):
1) When subject and issuer DN are identical
2) Or when they are case-insensitive identical
We get openssl its 'verify' confused. It requires a case-insensitive non equal
set of DNs to get back to sane behavior.
What am I missing; or are we looking at a bug in openssl which can be exploited
(well, is exploited but that assumes certain humans and process 'faults' and UI
confusion in play). And is this the app build on top of openssl misinterpreting
- or openssl doing a case-insenstive comparison in the wrong place ?
Thanks,
Dw.
# Create a CA and a Cert CSR and have the first sign the latter.
#
set -e
openssl req -new -x509 -subj "/CN=localhost" \
-nodes -out fake-ca.pem -keyout fake-ca.key -set_serial 2
openssl req -new -subj "/CN=localhost" \
-out fake-selfsign.crs -nodes -keyout fake-selfsign.key
openssl x509 -req \
-CAkey fake-ca.key -CA fake-ca.pem \
-out fake-selfsign.pem -in fake-selfsign.crs -set_serial 3
# check that certs are sane and as expected
#
openssl x509 -text -in fake-ca.pem
openssl x509 -text -in fake-selfsign.pem
# check that the selfsigned cert is signed as expected
openssl verify -CAfile fake-ca.pem fake-ca.pem
# >> fake-ca.pem: OK
# check again - but without itself - so we should get a
# selfsign warning
#
openssl verify fake-ca.pem fake-ca.pem
# >> fake-ca.pem: /CN=localhost
# >> error 18 at 0 depth lookup:self signed certificate
# >> OK
# Sofar so good. Now on the the stuff which aint worky
#
# So now check the cert we signed. We'd expect the single
# OK - like above.
#
openssl verify -CAfile fake-ca.pem fake-selfsign.pem
#
# But instead get a:
#
#>> fake-selfsign.pem: /CN=localhost
#>> error 18 at 0 depth lookup:self signed certificate
#>> /CN=localhost
#>> error 7 at 0 depth lookup:certificate signature failure
#>> 13566:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type
is not
01:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/rsa/rsa_pk1.c:100:
#>> 13566:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check
failed:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/rsa/rsa_eay.c:698:
#>> 13566:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP
lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/a_verify.c:173:
# Drat - so lets make the DN of the issuer and DN of the subject a bit
different (localhost to capitalied Localhost):
#
openssl req -new -x509 -subj "/CN=Localhost" \
-nodes -out fake-ca.pem -keyout fake-ca.key -set_serial 2
openssl req -new -subj "/CN=localhost" \
-out fake-selfsign.crs -nodes -keyout fake-selfsign.key
openssl x509 -req \
-CAkey fake-ca.key -CA fake-ca.pem \
-out fake-selfsign.pem -in fake-selfsign.crs -set_serial 3
# And check the signature again. We'd exact an OK now - as even the DN's are
# no longer identical.
#
openssl verify -CAfile fake-ca.pem fake-selfsign.pem
#
# But instead we get the same error.
#
#>> fake-selfsign.pem: /CN=localhost/C=TT
#>> error 18 at 0 depth lookup:self signed certificate
#>> /CN=localhost/C=TT
#>> error 7 at 0 depth lookup:certificate signature failure
#>> 13585:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type
is not
01:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/rsa/rsa_pk1.c:100:
#>> 13585:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check
failed:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/rsa/rsa_eay.c:698:
#>> 13585:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP
lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/a_verify.c:173:
# Ok - so how about fully different Localhost-> Xocalhost - so back to the
canonical case
# you'd have with proper CA's which should not issue DN's identical to their
own (As it would
# get messy quickly - e.g. in a CRL all you have is pretty much the DN!)
#
openssl req -new -x509 -subj "/CN=Xocalhost" \
-nodes -out fake-ca.pem -keyout fake-ca.key -set_serial 2
openssl req -new -subj "/CN=localhost" \
-out fake-selfsign.crs -nodes -keyout fake-selfsign.key
openssl x509 -req \
-CAkey fake-ca.key -CA fake-ca.pem \
-out fake-selfsign.pem -in fake-selfsign.crs -set_serial 3
openssl verify -CAfile fake-ca.pem fake-selfsign.pem
#
# Get back the expected
#
#>> fake-selfsign.pem: OK
# end of narrative
exit 0
Same with an OpenSSL based client; e.g. apache - cnfig:
Listen *:2100
<VirtualHost *:2100>
Servername localhost
SSLEngine On
SSLCertificateFile /home/xxx/tmp/fake-selfsign.pem
SSLCertificateKeyFile /home/xx/tmp/fake-selfsign.key
SSLCertificateChainFile /home/xxx/tmp/fake-ca.pem
</VirtualHost>
And then the output of openssl s_client which matches with that of IE and
Safari/Keychain:
openssl s_client -connect 127.0.0.1:2100 -showcerts -CAfile fake-ca.pem
CONNECTED(00000003)
depth=0 /CN=localhost/C=TT
verify error:num=18:self signed certificate
verify return:1
depth=0 /CN=localhost/C=TT
verify error:num=7:certificate signature failure
verify return:1
depth=0 /CN=localhost/C=TT
verify return:1
---
Certificate chain
0 s:/CN=localhost/C=TT
i:/CN=localhost/C=TT
-----BEGIN CERTIFICATE-----
MIIBsTCCARoCAQMwDQYJKoZIhvcNAQEFBQAwITESMBAGA1UEAxMJbG9jYWxob3N0
MQswCQYDVQQGEwJUVDAeFw0xMjAyMTMxNDQ4MDRaFw0xMjAzMTQxNDQ4MDRaMCEx
EjAQBgNVBAMTCWxvY2FsaG9zdDELMAkGA1UEBhMCVFQwgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBAOaJiBzAoDFnO0jwGn00bVtDk7GP7TYR6G/8jzpDJ/StJddI
0cN+6xk7b525DKK79NSqI+yVrbMiYUscEET45Zc2XUfbv+yOFg0iQRfCYQACA1KT
ubViPDxLLJsrqdKo41+sGIX8nyAynSJSJruEF5ZUzNjwEI8mCocr1GPmk2vvAgMB
AAEwDQYJKoZIhvcNAQEFBQADgYEAlT8+duxxatQ/4zgczV/b3Id85ZqLpeMzG44i
HzarSEZkPGLsVJE3WuLqpnbzb9SGQQTT1B8vcugJoCoC1tEQ7EyeH5EQdCvx8chV
lXRqU5frvU8E/5cVcFmaJEB56UnkNe0WmycjHaMdtARS2V3qQiIV4SdMa2cZOjw9
DJfG0Rs=
-----END CERTIFICATE-----
1 s:/CN=localhost/C=TT
i:/CN=localhost/C=TT
-----BEGIN CERTIFICATE-----
MIICMjCCAZugAwIBAgIBAjANBgkqhkiG9w0BAQUFADAhMRIwEAYDVQQDEwlsb2Nh
bGhvc3QxCzAJBgNVBAYTAlRUMB4XDTEyMDIxMzE0NDgwNFoXDTEyMDMxNDE0NDgw
NFowITESMBAGA1UEAxMJbG9jYWxob3N0MQswCQYDVQQGEwJUVDCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAwrSlBRCvTOLK1F6erTGMPSdAMxiq0uz8FQar4LCZ
UTgsqgGL3/H+RW1IXhFQU7he9+vJbYuRc8DWuHMUy2oMDSXIbc1iSt2AIAzVgfpf
o7WxSwEpcHPE37gZvWbQ7ZD2VM0WJ9mTzjFtnV/nXH9cgy4wm3ImvFtGXCL2Psub
C9sCAwEAAaN6MHgwHQYDVR0OBBYEFF5oowBG9TsPMQvsT2OnGdUfqox1MEkGA1Ud
IwRCMECAFF5oowBG9TsPMQvsT2OnGdUfqox1oSWkIzAhMRIwEAYDVQQDEwlsb2Nh
bGhvc3QxCzAJBgNVBAYTAlRUggECMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF
BQADgYEAf/+RPafx2dped9XWOhjrFycj37+xixArpVfisvRYL9VOHC+K2C/FVIxg
u2NXmcMY1Vz08PfterKhSWYT2JRu8fNUHZqaWsiwQy7+AxcAr1mCnXTnsj4lNJ/X
wyP/Ygmdt0Kihz8daQYul7cIS4oW0QocgWaM68mR61Ym5rD2qzA=
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=localhost/C=TT
issuer=/CN=localhost/C=TT
---
No client certificate CA names sent
---
SSL handshake has read 1570 bytes and written 334 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: DA8A8FA0D3759885858F26D6F93267C74F9AAFDFC7D2DE42372E7A2B5C6AD30F
Session-ID-ctx:
Master-Key:
00359DE19714B0D74E231C921833C5BF537863D402A26AB886B9337641DB332409D2FFE39B93459A5A4AA1A91448CC1D
Key-Arg : None
Start Time: 1329144492
Timeout : 300 (sec)
Verify return code: 7 (certificate signature failure)
---
and the 'normal' case
openssl s_client -connect 127.0.0.1:2100 -showcerts -CAfile fake-ca.pem
CONNECTED(00000003)
depth=1 /CN=Xocalhost/C=TT
verify return:1
depth=0 /CN=localhost/C=TT
verify return:1
---
Certificate chain
0 s:/CN=localhost/C=TT
i:/CN=Xocalhost/C=TT
-----BEGIN CERTIFICATE-----
MIIBsTCCARoCAQMwDQYJKoZIhvcNAQEFBQAwITESMBAGA1UEAxMJWG9jYWxob3N0
MQswCQYDVQQGEwJUVDAeFw0xMjAyMTMxNDMyMzRaFw0xMjAzMTQxNDMyMzRaMCEx
EjAQBgNVBAMTCWxvY2FsaG9zdDELMAkGA1UEBhMCVFQwgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBANihPCSWlCIJhggzvS7DR2qQkvAxKSDA6x31GIBU40yFlvYG
QbN4tc/bj7wk1wThdAo9dmnQqnYvtrPzvTvxaSETF/4Zj7KmYunS65SzNwUsSuI2
dUQy1CqLZ4vkBVtC8U/09h55AMiyX/PZnuSKuGAN839q2K9Z1SWcCpYYkZvpAgMB
AAEwDQYJKoZIhvcNAQEFBQADgYEAU7hWMNX8sXlncjgTZsNF0Qzgex2C2ZJEa1Qt
TEhYmNkdOjwbHFOUoGm0LEDgUqXqTQNLELwSOn2CW4Fx31UYAgjoiFZ1Z13XGP8f
/asxICWzGJeRsOmoJeOQUm6MO4jjeG23JcQR6aFC7BytLI5MZgmiC0sas7jxrHLS
e2tLYFo=
-----END CERTIFICATE-----
1 s:/CN=Xocalhost/C=TT
i:/CN=Xocalhost/C=TT
-----BEGIN CERTIFICATE-----
MIICMjCCAZugAwIBAgIBAjANBgkqhkiG9w0BAQUFADAhMRIwEAYDVQQDEwlYb2Nh
bGhvc3QxCzAJBgNVBAYTAlRUMB4XDTEyMDIxMzE0MzIzNFoXDTEyMDMxNDE0MzIz
NFowITESMBAGA1UEAxMJWG9jYWxob3N0MQswCQYDVQQGEwJUVDCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEA+fOLC9ZqlZcrOIz+JvT10i82srqqYNKq8ZXUqg7m
lGtuillPx6W/dzo2u25gQNbFg2OtlEJSSXvQ3F2DhpJooIqlzqKNQJbH6P5XxC8w
ar77eQp+Q2ftXN1J45b0cjKRjROOTcy3yn1klFdTlxGBQtbo/1V517QpBrLOU0FJ
QPUCAwEAAaN6MHgwHQYDVR0OBBYEFN1baeSLvns8eVXR9PfAE5e5/xYIMEkGA1Ud
IwRCMECAFN1baeSLvns8eVXR9PfAE5e5/xYIoSWkIzAhMRIwEAYDVQQDEwlYb2Nh
bGhvc3QxCzAJBgNVBAYTAlRUggECMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF
BQADgYEAvWr1tdZKijSnD0LiSszrph4xs5tAlUgN1epR/9zVIzMUWByX0IVu5LZX
4eHQv8pTBR6h+qWZIpYoISiJebHCQ+QB1EAjt9Vflf835liGB4dwZPJrQ9Bkm9jk
/K/7hyyhRVNzwFQqaVMO+nkZ2NZiRhE72aqIi7VFWq/jd4gonBo=
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=localhost/C=TT
issuer=/CN=Xocalhost/C=TT
---
No client certificate CA names sent
---
SSL handshake has read 1570 bytes and written 334 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 675283B33E1C3D1CFFC98EE22F6EF860AEAACA41728C9E670C8F67146D5A3504
Session-ID-ctx:
Master-Key:
04CA98FA19B3C53BBCA52291CAA5E42A804078BF53703246113D869C6A8EC5884253DEF4CA775DEBF7F5F5F7DF807351
Key-Arg : None
Start Time: 1329144444
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
signature.asc
Description: Message signed with OpenPGP using GPGMail
