[krbdev.mit.edu #6775] pkinit <KU> evaluation during certificate matching may fail
The RT System itself via RT
rt-comment at krbdev.mit.edu
Tue Sep 14 14:58:51 EDT 2010
>From krb5-bugs-incoming-bounces at PCH.mit.edu Tue Sep 14 14:58:50 2010
Return-Path: <krb5-bugs-incoming-bounces at PCH.mit.edu>
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
by krbdev.mit.edu (Postfix) with ESMTP id BB4663E644;
Tue, 14 Sep 2010 14:58:50 -0400 (EDT)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id o8EIwoJY022061;
Tue, 14 Sep 2010 14:58:50 -0400
Received: from mailhub-dmz-2.mit.edu (MAILHUB-DMZ-2.MIT.EDU [18.7.62.37])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id o82N2Uac029839
for <krb5-bugs-incoming at PCH.mit.edu>; Thu, 2 Sep 2010 19:02:30 -0400
Received: from dmz-mailsec-scanner-5.mit.edu (DMZ-MAILSEC-SCANNER-5.MIT.EDU
[18.7.68.34])
by mailhub-dmz-2.mit.edu (8.13.8/8.9.2) with ESMTP id o82N2QI7008318
for <krb5-bugs at mit.edu>; Thu, 2 Sep 2010 19:02:30 -0400
X-AuditID: 12074422-b7bbfae000005e9b-63-4c802d0140df
Received: from mx1.redhat.com ( [209.132.183.28])
by dmz-mailsec-scanner-5.mit.edu (Symantec Brightmail Gateway) with
SMTP id 3F.E7.24219.20D208C4; Thu, 2 Sep 2010 19:02:26 -0400 (EDT)
Received: from int-mx01.intmail.prod.int.phx2.redhat.com
(int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11])
by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o82N2SlH017689
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
for <krb5-bugs at mit.edu>; Thu, 2 Sep 2010 19:02:28 -0400
Received: from blade.bos.redhat.com (blade.bos.redhat.com [10.16.0.23])
by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
id o82N2RqD014979
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
for <krb5-bugs at mit.edu>; Thu, 2 Sep 2010 19:02:28 -0400
Received: from blade.bos.redhat.com (blade.bos.redhat.com [127.0.0.1])
by blade.bos.redhat.com (8.14.4/8.14.3) with ESMTP id o82N2RP6015404
for <krb5-bugs at mit.edu>; Thu, 2 Sep 2010 19:02:27 -0400
Received: (from nalin at localhost)
by blade.bos.redhat.com (8.14.4/8.14.4/Submit) id o82N2RKG015402;
Thu, 2 Sep 2010 19:02:27 -0400
Date: Thu, 2 Sep 2010 19:02:27 -0400
Message-Id: <201009022302.o82N2RKG015402 at blade.bos.redhat.com>
To: krb5-bugs at mit.edu
Subject: pkinit <KU> evaluation during certificate matching may fail
From: nalin at redhat.com
X-send-pr-version: 3.99
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.11
X-Brightmail-Tracker: AAAAAA==
X-Mailman-Approved-At: Tue, 14 Sep 2010 14:58:48 -0400
X-BeenThere: krb5-bugs-incoming at mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: nalin at redhat.com
Sender: krb5-bugs-incoming-bounces at PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces at PCH.mit.edu
>Submitter-Id: net
>Originator:
>Organization:
>Confidential: no
>Synopsis: pkinit <KU> evaluation during certificate matching may fail
>Severity: non-critical
>Priority: medium
>Category: krb5-libs
>Class: sw-bug
>Release: 1.8.3
>Environment:
System: Linux blade.bos.redhat.com 2.6.34-43.fc14.x86_64 #1 SMP Thu Jun 17 10:32:12 UTC 2010 x86_64 x86_64 x86_64 GNU/Linux
Architecture: x86_64
>Description:
When the pkinit plugin's crypto_retieve_X509_key_usage() function goes
to read the value of a certificate's key usage extension, it doesn't
adequately ensure that the certificate's ex_flags and ex_kusage fields,
which the ku_reject() macro checks, have been set. As a result,
ku_reject() can ignore the keyUsage value in the certificate.
>How-To-Repeat:
I tracked down the problem by placing these two certificates in the same
directory, generating dummy keys by piping the output of "openssl
genrsa" to the right files, and passing -X X509_user_identity=DIR:...
to kinit (dummy keys were used because the correct private keys live on
a smart card, and I wasn't able to get them from the original reporter
of the bug). The current logic was accepting both of these certificates
as matches for the rule "<KU>digitalSignature".
-----BEGIN CERTIFICATE-----
MIIDOjCCAiKgAwIBAgICAeEwDQYJKoZIhvcNAQELBQAwQTEfMB0GA1UEChMWSWRt
TGFiQm9zUmVkaGF0IERvbWFpbjEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9y
aXR5MB4XDTEwMDgxNzE5MzEzMFoXDTE1MDgxNjE5MzEzMFowMTEXMBUGA1UEChMO
VG9rZW4gS2V5IFVzZXIxFjAUBgoJkiaJk/IsZAEBEwZ0ZXN0ZXIwgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBAILMo0xisvELL3TdwzuWcPHhbwsDxmdiF/XYaSc4
L4xGaV4yQ7AaWMy2Ele5bIv16WI00Ck+1x8IxpFQU+DAVMnxFH31e+Kkhc2EGDfI
zDuzKXub91EKCNrIrghJMeilayMCFFttJdC50BTo7p515zLCt0BYmh0s9cneJ/CX
vGhtAgMBAAGjgc8wgcwwDgYDVR0PAQH/BAQDAgbAMB8GA1UdEQQYMBaBFHRlc3Rl
cjc3Nzc3N0Bhb2wuY29tMB0GA1UdDgQWBBTpJoowAHH1bt5qjvKXneXWEVfYtDAf
BgNVHSMEGDAWgBQJUJr6a31sFCGjZIevwUSP7svjIDAJBgNVHRMEAjAAME4GCCsG
AQUFBwEBBEIwQDA+BggrBgEFBQcwAYYyaHR0cDovL3N0ZXJvcGUuaWRtLmxhYi5i
b3MucmVkaGF0LmNvbTo5MTgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBACHk
dSGzYKo6obDtWbwllmIFBqA6sgVJzsqYEIXlgEpU+Na9fmDnU3VSEggy5Qz6ybxY
m1EbQjBG86Mn7MVOB24qtRMhH/G6m1YymCVoHSYQ1/sBbjGdpwrnuUSyJZjtJHb4
QRCCBw+uXDFK2fibgZiOGIITS3i6jPPN2zhtM6QGC7EMeRXs2YKZTyUZz2Fbj3d6
3xCN2woCma+cu8FKoEQC8SLSaE+3JIySCK/dMmsbleQCTyGg4LuKxXl7mGzWsikv
sDNAKYNcXxRYvCxy6hmdW3pFkqv4C8IyzATEcleqXZaTtTDI+r21dLsbd6CGFlNn
KKzEdbzWWzOBE8JrplQ=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDOjCCAiKgAwIBAgICAeIwDQYJKoZIhvcNAQELBQAwQTEfMB0GA1UEChMWSWRt
TGFiQm9zUmVkaGF0IERvbWFpbjEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9y
aXR5MB4XDTEwMDgxNzE5MzEzMVoXDTE1MDgxNjE5MzEzMVowMTEXMBUGA1UEChMO
VG9rZW4gS2V5IFVzZXIxFjAUBgoJkiaJk/IsZAEBEwZ0ZXN0ZXIwgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBALrIyrY/j6z4/xt4p7QjiwyogD8SNzD+rS+VBl5J
RRrZACSgKcS11mNcx22bDX517M7tsKBRPzbl8oUXl4YI4nYA9R0vjU9I2GelYBX9
NxkpPx8ncS08Vlb9k0o82IxxTj8EdCcYzTY62g0BuT1FSgKxF6oRODVkJ8ByXjej
9tsxAgMBAAGjgc8wgcwwDgYDVR0PAQH/BAQDAgUgMB8GA1UdEQQYMBaBFHRlc3Rl
cjc3Nzc3N0Bhb2wuY29tMB0GA1UdDgQWBBQyNtmOl4YYJW8hrXjBB2FRPTcXGjAf
BgNVHSMEGDAWgBQJUJr6a31sFCGjZIevwUSP7svjIDAJBgNVHRMEAjAAME4GCCsG
AQUFBwEBBEIwQDA+BggrBgEFBQcwAYYyaHR0cDovL3N0ZXJvcGUuaWRtLmxhYi5i
b3MucmVkaGF0LmNvbTo5MTgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBACcg
YIWnjbnn1Fzyk3Bu/Fhm7KYwaLsCsLWORoZhqitA5pvkhnELa2mXn/2FIhuxD0aS
aavnv6TeDseuQr7ghnJVibpqd/KXhrQLjRJZQ+JQXM0OyEO3slAIIOBcUZlsE7Ja
oxsn/x964+WiJVTCb/xSEtcCo0ixI2a7KrU4x8WCjTPQPU7gytWU618NibhIlMri
6r4qwo77P4VGhKRtlCdi+UYcMUac7DoL3wKXbxdO9Af2W3mb3NKkbkzVlUZbyXlE
UK6NX0NAyjXjCxetRoGoZew4wNKwtE9rND9FUGTUhW7S8REB3cIh5xAKrUGzjNNa
j+pBDOyG3xsPqA/ivyI=
-----END CERTIFICATE-----
>Fix:
It'd probably be better to check the usage bitstring directly, but
calling X509_check_ca() causes the right fields to get initialized when
built with OpenSSL 1.0.0a.
Index: src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
===================================================================
--- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c (revision 24286)
+++ src/plugins/preauth/pkinit/pkinit_crypto_openssl.c (working copy)
@@ -2002,6 +2002,7 @@
pkiDebug("%s: found acceptable EKU, checking for digitalSignature\n", __FUNCTION__);
/* check that digitalSignature KeyUsage is present */
+ X509_check_ca(reqctx->received_cert);
if ((usage = X509_get_ext_d2i(reqctx->received_cert,
NID_key_usage, NULL, NULL))) {
@@ -4548,6 +4549,7 @@
}
/* Make sure usage exists before checking bits */
+ X509_check_ca(x);
usage = X509_get_ext_d2i(x, NID_key_usage, NULL, NULL);
if (usage) {
if (!ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE))
More information about the krb5-bugs
mailing list