Re: [TLS] Fresh results

Viktor Dukhovni Thu, 03 Dec 2015 23:02:00 -0800

On Fri, Dec 04, 2015 at 07:41:16AM +0100, Karthikeyan Bhargavan wrote:

> Of course, the current practice is that KeyUsage is ignored. OpenSSL will
> take a certificate that only specified Public Key Encryption and happily use
> and accept it for digital signature. Similar flexibility allows ECDSA certs 
> that
> should only be used for signing to be used for static ECDH key exchange 
> (leading
> to other vulnerabilities). Do we (as in the TLS working group) have the 
> necessary
> influence to make sure that KeyUsage is respected?


Suppose keyUsage is respected.  Who will knowingly shoot themselves
in the foot and restrict their RSA certificate to just DHE or just
RSA key transport?  This looks like an impractical counter-measure.

And by the way key usage is enforced by OpenSSL for EC.

    $ git grep -C3 X509v3_KU_ ssl
    ssl/ssl_lib.c-        X509_check_purpose(x, -1, 0);
    ssl/ssl_lib.c-# ifndef OPENSSL_NO_ECDH
    ssl/ssl_lib.c-        ecdh_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
    ssl/ssl_lib.c:            (x->ex_kusage & X509v3_KU_KEY_AGREEMENT) : 1;
    ssl/ssl_lib.c-# endif
    ssl/ssl_lib.c-        ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
    ssl/ssl_lib.c:            (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1;
    ssl/ssl_lib.c-        if (!(cpk->valid_flags & CERT_PKEY_SIGN))
    ssl/ssl_lib.c-            ecdsa_ok = 0;
    ssl/ssl_lib.c-        ecc_pkey = X509_get_pubkey(x);
    --
    ssl/ssl_lib.c-    }
    ssl/ssl_lib.c-    if (alg_k & SSL_kECDHe || alg_k & SSL_kECDHr) {
    ssl/ssl_lib.c-        /* key usage, if present, must allow key agreement */
    ssl/ssl_lib.c:        if (ku_reject(x, X509v3_KU_KEY_AGREEMENT)) {
    ssl/ssl_lib.c-            SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG,
    ssl/ssl_lib.c-                   SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT);
    ssl/ssl_lib.c-            return 0;
    --
    ssl/ssl_lib.c-    }
    ssl/ssl_lib.c-    if (alg_a & SSL_aECDSA) {
    ssl/ssl_lib.c-        /* key usage, if present, must allow signing */
    ssl/ssl_lib.c:        if (ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE)) {
    ssl/ssl_lib.c-            SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG,
    ssl/ssl_lib.c-                   SSL_R_ECC_CERT_NOT_FOR_SIGNING);
    ssl/ssl_lib.c-            return 0;

-- 
        Viktor.

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Fresh results

Reply via email to