subject:"\[openssl.org #2732\] Bug\: verification fails if muliple certification path \(EV\/Verisign\)"

[openssl.org #2732] Bug: verification fails if muliple certification path (EV/Verisign)

2012-03-06 Thread Dan Lukes via RT


Same problem apply for cross-certificates which create multiple paths also.

Imagine the expiring CA (expiring within year or two, not expired 
already). The organization will create the new one, but want to maintain 
transition period for the users. So create two cross certificates - the 
public of oldCA will sign by new CA and vice versa. So resulting 
structure is:


a) public key of newCA is selfsigned, creating root certificate of new  tree
b) same public key is signed by oldCA with CA:TRUE attribute, creating 
certificate of intermediate CA authority within old tree

End servers with certificate issued by (newCA|intermediate CA) should 
send following chain:

  
s: /CN=EndCertificate
i: /CN=newCA

s: /CN=newCA # This is intermediate CA certificate
i: /CN=oldCA
  

Scenario 1:
User is not aware of existence newCA yet (but oldCA is still not expired 
and trusted by user). Verification:

EndCertificate issued by (newCA|intermediate CA) issued by oldCA

Conclusion: certificate considered trusted

  

Scenario 2:
User trusting newCA. Verification:

EndCertificate issued by (newCA|intermediate CA) which is considered 
trusted by user, no further steps required

Conclusion: certificate considered trusted

  

Unfortunately, scenario 2 doesn't work with OpenSSL.
End-of-chain certificates are verified against trusted store only.

So painless transition from one CA to other CA is not possible

Dan


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[openssl.org #2732] Bug: verification fails if muliple certification path (EV/Verisign)

2012-02-25 Thread Steffen Ullrich via RT

Hi, we get the following verification problem in our product, because
some servers like signin.ebay.de, comdirect.de or meine.deutsche-bank.de
add additional certicates to the chain, which are needed for some 
clients but not for others. Unfortunatly these are not minor companies
and all of the certificates are EV.
Tests done with various openssl versions from 0.9.7j up to 1.0.0a on 
OpenBSD and 1.0.0e and 1.0.1beta2 on Ubuntu 11.10.

Details:

The server sends 3 certificates (cert3, cert2 and cert1) while the client
has certB and/or certR as a trusted root certificate. 
certR signs cert1, while certB signs cert2 by using the same public key
as cert1.
The certificate hierarchy as a picture:

   -
   | Cert3 |
   |   |   |
   | Cert2 --
   |   |   ||
   | Cert1 ||
   |___|___||
   ||
   ||
 CertR -\ CertB -\
   ||   ||


cert3.pem 
  - ..CN=meine.deutsche-bank.de
  - SHA1 Fingerprint=6C:F2:11:14:DC:4F:77:95:1A:67:63:E1:64:2B:AE:2F:DF:33:EB:BC
cert2.pem 
  - ..CN=VeriSign Class 3 Extended Validation SSL SGC CA 
  - SHA1 Fingerprint=B1:80:39:89:98:31:F1:52:61:46:67:CF:23:FF:CE:A2:B0:E7:3D:AB
cert1.pem 
  - ..CN=VeriSign Class 3 Public Primary Certification Authority - G5
  - SHA1 Fingerprint=29:B7:3D:9F:75:01:B8:C0:AD:FD:5E:43:37:A3:90:D1:AD:20:5F:48

certB.pem 
  - ..CN=VeriSign Class 3 Public Primary Certification Authority - G5
  - SHA1 Fingerprint=4E:B6:D5:78:49:9B:1C:CF:5F:58:1E:AD:56:BE:3D:9B:67:44:A5:E5
  - this has the same public key as cert1, but is self signed
certR.pem 
  - C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
  - SHA1 Fingerprint=74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2
  - this is very old but still valid, but MD2/RSA signed and thus probably not 
added in some products
(it's not in /etc/ssl/certs on Ubuntu 11.10)


The following tests will be done

- openssl verify -verbose -CAfile chain21.pem cert3.pem
  cat cert2.pem cert1.pem  chain21.pem
  will FAIL because neither certB nor certR are present and so no root is found

- openssl verify -verbose -CAfile chain21R.pem cert3.pem 
  cat cert2.pem cert1.pem certR.pem  chain21R.pem
  will SUCCEED because a complete hierarchy to the root can be found:
  cert3 - cert2 - cert1 - certR

- openssl verify -verbose -CAfile chain2B.pem cert3.pem
  cat cert2.pem certB.pem  chain2B.pem
  will SUCCEED because a complete hierarchy to the root can be found:
  cert3 - cert2 - certB

so far everything is like expected, but it gets interesting if we have
both cert1 and certB. Note that cert1 has the same public key as certB
so that both certificates sign cert2.

- openssl verify -verbose -CAfile chain21B.pem cert3.pem
  cat cert2.pem cert1.pem certB.pem  chain21B.pem
  The expected thing is, that it will succeed because it can verify
  cert3 - cert2 - cert B and just ignore cert1.
  But it FAILs because it tries cert3 - cert2 - cert1 - .. and then it
  is missing certR

- openssl verify -verbose -CAfile chain2B1.pem cert3.pem
  cat cert2.pem certB.pem cert1.pem  chain2B1.pem
  same certificates as last test, but this time certB is before cert1.
  I would expect, that the order does not matter, but this SUCCEEDs 
  because of cert3 - cert2 - certB and it ignores cert1

And this is where the bug is: one should expect, that it ignores an
the unneeded cert1 in both cases, but the behavior depends on the order
of the certicates in the chain.

The bug causes konqueror (using openssl) to fail on certificate check,
while Chrome and firefox (using NSS) succeed. At least FF seems to 
have certR too, but uses certB, probably because the trust chain is
shorter.  Opera on Linux and MSIE8 on Windows XP succeed too, also using 
certB and not certR for verification.

A similar problem was already reported, but w/o response:
http://rt.openssl.org/Ticket/Display.html?id=2634
and maybe http://rt.openssl.org/Ticket/Display.html?id=1851
is also related.

If you need more information or tests please let me know.

Regards,
Steffen Ullrich

-- 
GeNUA Gesellschaft für Netzwerk - und Unix-Administration mbH
Domagkstr. 7, D-85551 Kirchheim. http://www.genua.de
Tel: (089) 99 19 50-0, Fax: (089) 99 10 50 - 999

Geschäftsführer: Dr. Magnus Harlander, Dr. Michaela Harlander,
Bernhard Schneck. Amtsgericht München HRB 98238

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
57:bf:fb:03:fb:2c:46:d4:e1:9e:ce:e0:d7:43:7f:13
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification 
Authority
Validity
Not Before: Nov  8 00:00:00 2006 GMT
Not After : Nov  7 23:59:59 2021 GMT
Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 
VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary 
Certification Authority - G5

[openssl.org #2732] Bug: verification fails if muliple certification path (EV/Verisign)

[openssl.org #2732] Bug: verification fails if muliple certification path (EV/Verisign)

2 matches

Site Navigation

Mail list logo

Footer information