On 07/10/2015 09:32 AM, Matt Caswell wrote:
On 10/07/15 13:09, R C Delgado wrote:
Hello,
With regards to CVE-2015-1793, I've seen the example in verify_extra_test.c.
How deep does the certificate chain have to be?
If I have 2 self-signed CA certificates, and a non-CA certificate is
received for verification, will this hit the problem?
Also, is it a condition of the bug that both CA certificates have to
have the same subject names and keys, as suggested in the file?
The conditions for triggering the bug are a little complicated, but I'll
do my best to explain it.
<snip>
So these certs would need to be present (at a minimum):
Chain 1:
Trusted Cert 1
|
Untrusted Cert 1
|
Leaf
|
Bad
Chain 2:
Trusted Cert 2
|
Leaf
|
Bad
There are other possible longer chains, but this is the minimum set. For
1.0.2, Chain 1 would have to be non-trusted, even though we have added a
trusted cert. This can occur if Trusted Cert 1 is not self signed and
its issuer is not in the trusted store. For 1.0.1 any chain will do.
Untrusted Cert 1 and Trusted Cert 2 would both have to be valid issuers
of Leaf (i.e. they have the same subject names and public keys). Chain 2
must be trusted (so Trusted Cert 2 has to be a self-signed root).
Thanks, Matt. This is the most cogent explanation I've seen to date.
Cheers
--
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS, EA
Rosenthal & Rosenthal, LLC www.2rosenthals.com
visit my IT blog www.2rosenthals.net/wordpress
IRS Circular 230 Disclosure applies see www.2rosenthals.com
-------------------------------------------------------------
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
