Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PKCS7 API does not verify certificates #6692

Closed
DemiMarie opened this issue Nov 30, 2022 · 6 comments · Fixed by #6709
Closed

PKCS7 API does not verify certificates #6692

DemiMarie opened this issue Nov 30, 2022 · 6 comments · Fixed by #6709

Comments

@DemiMarie
Copy link
Contributor

Summary

The PKCS7 API does not verify the certificates: anyone can include a self-signed certificate and have it be accepted as valid. Unless an application does additional checks on the certificate, a valid PKCS7 signature provides no security whatsoever.

System information

Mbed TLS version (number or commit id): 72bffe0
Operating system and version: All
Configuration (if not default, please attach mbedtls_config.h): All including PKCS7
Compiler and options (if you used a pre-built binary, please indicate how you obtained it): All
Additional environment information: N/A

Expected behavior

The PKCS7 API verifies that the certificate has been signed by a trusted authority and not revoked. The certificate is also checked to be usable for the intended purpose, perhaps by being required to have an Extended Key Usage provided by the caller.

Actual behavior

The PKCS7 API does not verify the certificate.

Steps to reproduce

See above.

Additional information

In my opinion, this makes the current API almost unusable, as it is insecure-by-default.

@DemiMarie DemiMarie mentioned this issue Nov 30, 2022
3 tasks
@gilles-peskine-arm
Copy link
Contributor

gilles-peskine-arm commented Nov 30, 2022

Following the naming conventions for X.509, the parse functions convert a string to a structured object and only check the internal validity of the string. Establishing trust would be the job of a verify function, which hasn't been implemented (or upstreamed?) yet.

@DemiMarie
Copy link
Contributor Author

@gilles-peskine-arm mbedtls_pkcs7_signed_*_verify?

@gilles-peskine-arm
Copy link
Contributor

Oh, I was focusing on the parser so much I didn't even pay attention. Yes, that function is present, so that doesn't make sense to me. How does the verify function not have a parameter that's a trust anchor @daverodgman @bensze01 ?

@DemiMarie
Copy link
Contributor Author

Oh, I was focusing on the parser so much I didn't even pay attention. Yes, that function is present, so that doesn't make sense to me. How does the verify function not have a parameter that's a trust anchor @daverodgman @bensze01 ?

Should there also be a list of CRLs, or some sort of support for extended revocation check?

@daverodgman
Copy link
Contributor

The PKCS7 API does not verify the certificates: anyone can include a self-signed certificate and have it be accepted as valid. Unless an application does additional checks on the certificate, a valid PKCS7 signature provides no security whatsoever.

mbedtls_pkcs7_signed_*_verify validates against the public key in the certificate supplied by the caller. It does not validate against the certificate(s) in the pkcs7 file.

This means it's useful for certain use-cases where the user wants to validate against a pre-shared certificate, but not the use-case where the user wants to validate against the certificate(s) contained within the PKCS7 file.

Given that this is a partial implementation of PKCS7, this limitation seems acceptable (although it would be good to complete the implementation at some point).

I do think that a documentation improvement is needed - we will push a PR to address this.

Possibly mbedtls_pkcs7_signed_*_verify could be renamed to something like mbedtls_pkcs7_signed_*_verify_against_external_cert, as the use of the cert is different to using it as a trust anchor for the certificates provided in the file - but I need to think about this a bit more. Do you have any thoughts on this?

@DemiMarie
Copy link
Contributor Author

The PKCS7 API does not verify the certificates: anyone can include a self-signed certificate and have it be accepted as valid. Unless an application does additional checks on the certificate, a valid PKCS7 signature provides no security whatsoever.

mbedtls_pkcs7_signed_*_verify validates against the public key in the certificate supplied by the caller. It does not validate against the certificate(s) in the pkcs7 file.

Ah, good point. I thought it did the latter.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants