Le 18 nov. 2016 à 14:56, Gervase Markham
<[email protected]<mailto:[email protected]>> a écrit :
On 17/11/16 18:41, Erwann Abalea wrote:
Another valid chain:
RootCA (subject: "C=UT, O=PerfectCA, CN=Root")
-> OnlineCA (subject: "C=UT, O=PerfectCA, CN=Online", pathLen=0)
-> OnlineCA (subject: "C=UT, O=PerfectCA, CN=Online", pathLen=0) <= this is
the self-issued cert, same name
-> EE
Having a pathLen=0 doesn’t forbid you from creating a CA
certificate, it only forbids you from creating a CA certificate
for a different CA. This is defined in X.509 and repeated in RFC5280.
This behaviour is supported by OpenSSL, probably by Microsoft
(haven’t checked), I guess by Mozilla libPKIX but not Mozilla::pkix
(just quickly read the source).
Well, %$£&*.
So an attacker can effectively leverage a SHA-1 collision into a cert
which is equivalent to the issuing intermediate but for which they
control the private key?
Yes.
RFC5280 section 4.2.1.9 Basic Constraints:
…
The pathLenConstraint field is meaningful only if the cA boolean is
asserted and the key usage extension, if present, asserts the
keyCertSign bit (Section 4.2.1.3). In this case, it gives the
maximum number of non-self-issued intermediate certificates that may
follow this certificate in a valid certification path.
And this is taken into account in section 6.1 presenting the validation
algorithm.
Cordialement,
Erwann Abalea
_______________________________________________
Public mailing list
[email protected]
https://cabforum.org/mailman/listinfo/public
