Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The forge can accept the mal-formed X.509 certificates and chaining them #1049

Open
x509-name-testing opened this issue Sep 25, 2023 · 0 comments
Open

The forge can accept the mal-formed X.509 certificates and chaining them #1049

x509-name-testing opened this issue Sep 25, 2023 · 0 comments

Comments

@x509-name-testing
Copy link

Hi there,

I am writing to report some bugs. We found that the forge can accept the empty attributes in the issuer/subject. For example, if the issuer cert's subject field and entity cert's issuer field are CN=(null), and also, the forge chained them and returned true when using the provided API, which does not adhere to the related description in RFC 5280. And also, forge can also chain a pair of certificates without the issuer/subject field. That is, the full issuer/subject is NULL, but it can be parsed by the forge and chain them. We use the example in the following:

case 1: empty attribute

// ca
-----BEGIN CERTIFICATE-----
MIICxjCCAa6gAwIBAgICECAwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAxMEYWEx
MTAeFw0xNTAyMDcxNzI0MDBaFw0yNDAyMTQwNjI2NTNaMAsxCTAHBgNVBAMTADCC
ASAwDQYJKoZIhvcNAQEBBQADggENADCCAQgCggEBAMx2hqhUyGyp93eTYpQpyh3k
sRB0CVd7AlA7MH04yacSsBaw5wSwqS9gsgM1zNFYLR/iyxCHn2V4G9+Rbc9uukSD
IxpKnY4q7NIMo8SzzQy9atV+3Lscu0Nht+ZvW1MhXMwfKj2UvjAxEy6oZNnd/BZk
pIn8HAMytOepeJX6VO8XdoPbM/+pEPy8m7a8IRv7qfKJ0Lq1mWYzMSf6EFVocRQ+
q0jRXlg97GkUaLftCyEfcW7X98oHFfF3/lkAces+2wJwRqlUppjYQJJCaZgoIsQ2
+DUo8Jy6arCCiOO+0TyCOz6FgEu7aDemkhiWed2m48N84kvSRC6fQYbyORNjlAMC
AQOjMjAwMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFGv5pC2l6TmJqCRYeYcR
/G8Hke+mMA0GCSqGSIb3DQEBCwUAA4IBAQDH9stRfAtY0tj22tOxge+5j7mTaVxg
D97KCW1P9yh5jnUXrBd6UMKDpVvk7EhsB7uaq0BgvjFp62GN2svdeyEwos1vrSOm
8qf0J5uSWaePDE8XSXeZNrjXDUuH9ktuM7pJK/SeJEEdJ+h4XvZcdE0Yuvklhu5Y
yxi9PwnZxYQ7WpxVEh2rvxfre+I1rksR7cmlX5x+Pi+zS0FSho6Y0CctttihKeFU
MGu9bZYZ/lgmaSOYv93HiApSJv7CdACQnhMfbr9IQ4coIJVZS/W+A3kRNnbjQBNe
dp3MZvJVqQTapsMjd3jispFmMJWvIXJXjuVOL4KCiTwV4KJEVz3luLqB
-----END CERTIFICATE-----
//ee
-----BEGIN CERTIFICATE-----
MIIC9TCCAd2gAwIBAgICECEwDQYJKoZIhvcNAQELBQAwCzEJMAcGA1UEAxMAMB4X
DTE2MDIwNzE3MjQwMFoXDTI0MDIxNDA2MjY1M1owDzENMAsGA1UEAxMEYWFhYTCC
ASAwDQYJKoZIhvcNAQEBBQADggENADCCAQgCggEBAKiKXiYjGzHTNxpwsuw/dNS0
RON6pcD1qpcmmgT/2r7lCQOYPbW/ASyaCjr7vDznvoNcs3DoXOPRg8OUCM0ah+Xg
W5xcbrB94lhsw7XInRHxXZYNZh5Wf49Zp6XhxeeBTAmdXpbwmsKLcNWreVhdt1iq
/XVSqkunJWh2WQDueCuRxlmRmTg+oXbD9SNr5gfqYxyXSe+g/v0Tyamfwgvmh5Jb
zPVClUqkbWS6fc7LBND45+PadWDTi2pk/HhWIWla6KeP+4+C4642opNmksuCo76E
AIbcfm1Td4QXuVVDDfEWH9VDdZlmGVLQrF90rbKQFVAEdEPfbDXQ/TI3s4315QkC
AQOjYTBfMAwGA1UdEwEB/wQCMAAwDwYDVR0RBAgwBoIEYWFhYTAdBgNVHQ4EFgQU
kmoeUjoaV5/JgprOyMCpUZ0vx3IwHwYDVR0jBBgwFoAUa/mkLaXpOYmoJFh5hxH8
bweR76YwDQYJKoZIhvcNAQELBQADggEBAH4V6WdUJgDZ5LyCa/mZxGiOV4thCNWW
a53ikQ/yfXZ3lXXx1ga3voAfZewRTJM3QH107fhVGn8SgVOgUZ3A4Y/lzACtv/OB
aeT0+amY1cF/30yCPZDeNBb0x28g+2S/u7oIFoo/lUef/SatNJz93yVWjHW/PD+Z
cwB8P0R0t7P83J7aBGWfJIM4H1/X4a4Bp4hA6IywefFv39Z6kyhPh4ZW4VVf8Y91
AqMnNHLTh3jGL7544PGIJqJuk79ltmMQUfPWQYzOGzgfyMT/LWhW26cHJxIIQjcp
qLcsK5bVfUyARxvwrmmNPb0mEymaDy4NQyPEYxbx9UF8AUbUkI0iRy8=
-----END CERTIFICATE-----

case 2: empty field(s)

//ca
-----BEGIN CERTIFICATE-----
MIICsDCCAZigAwIBAgICECAwDQYJKoZIhvcNAQELBQAwAjEAMB4XDTE1MDIwNzE3
MjQwMFoXDTI0MDIxNDA2MjY1M1owAjEAMIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0A
MIIBCAKCAQEAzHaGqFTIbKn3d5NilCnKHeSxEHQJV3sCUDswfTjJpxKwFrDnBLCp
L2CyAzXM0VgtH+LLEIefZXgb35Ftz266RIMjGkqdjirs0gyjxLPNDL1q1X7cuxy7
Q2G35m9bUyFczB8qPZS+MDETLqhk2d38FmSkifwcAzK056l4lfpU7xd2g9sz/6kQ
/LybtrwhG/up8onQurWZZjMxJ/oQVWhxFD6rSNFeWD3saRRot+0LIR9xbtf3ygcV
8Xf+WQBx6z7bAnBGqVSmmNhAkkJpmCgixDb4NSjwnLpqsIKI477RPII7PoWAS7to
N6aSGJZ53abjw3ziS9JELp9BhvI5E2OUAwIBA6MyMDAwDwYDVR0TAQH/BAUwAwEB
/zAdBgNVHQ4EFgQUa/mkLaXpOYmoJFh5hxH8bweR76YwDQYJKoZIhvcNAQELBQAD
ggEBADI8Xjxdb/us2AkOI9HwuSKvk0ITittePrSLyXnWehpwODgoBVkNWzNmIyHb
Vdf21fwPH9buGCltHC+aA03VRVRCJilnnw8TwEF7dLGqzoEUTMoRuoFhywkshaff
8ZK06s6hleUks6qrj7GJcz2ROwdpBaCju+HTvzecLajiYDsqPjWd7/DXMt92wcoQ
CYaDgWScTOeeFFmI6LkYygxT0xA8W2Bju79SYh9Nof+rszvUZUCsBHctPIChnC1H
j6n3wEqFPlwSgLEMs2v/Ty2xSPdhLigJegO1Uuh7QfYMfuLZsyL61Iglw5wS8lfm
o4Z/yDLJsJ5OlwDlSWVqs01+X3s=
-----END CERTIFICATE-----
//ee
-----BEGIN CERTIFICATE-----
MIIC7DCCAdSgAwIBAgICECEwDQYJKoZIhvcNAQELBQAwAjEAMB4XDTE2MDIwNzE3
MjQwMFoXDTI0MDIxNDA2MjY1M1owDzENMAsGA1UEAxMEYWFhYTCCASAwDQYJKoZI
hvcNAQEBBQADggENADCCAQgCggEBAKiKXiYjGzHTNxpwsuw/dNS0RON6pcD1qpcm
mgT/2r7lCQOYPbW/ASyaCjr7vDznvoNcs3DoXOPRg8OUCM0ah+XgW5xcbrB94lhs
w7XInRHxXZYNZh5Wf49Zp6XhxeeBTAmdXpbwmsKLcNWreVhdt1iq/XVSqkunJWh2
WQDueCuRxlmRmTg+oXbD9SNr5gfqYxyXSe+g/v0Tyamfwgvmh5JbzPVClUqkbWS6
fc7LBND45+PadWDTi2pk/HhWIWla6KeP+4+C4642opNmksuCo76EAIbcfm1Td4QX
uVVDDfEWH9VDdZlmGVLQrF90rbKQFVAEdEPfbDXQ/TI3s4315QkCAQOjYTBfMAwG
A1UdEwEB/wQCMAAwDwYDVR0RBAgwBoIEYWFhYTAdBgNVHQ4EFgQUkmoeUjoaV5/J
gprOyMCpUZ0vx3IwHwYDVR0jBBgwFoAUa/mkLaXpOYmoJFh5hxH8bweR76YwDQYJ
KoZIhvcNAQELBQADggEBAA2nKKdX9uMtu0Lg7hOIjp8sa5nOPI3u/9ahAIs2nwE2
5jpWVRYSbPLfq+VWYNYO/6HT1e3AHAiZQha++gftNWZhhn0/q6QUrpPo0CVE45+J
x+fwSejNsn8y+F1UxqHru+9z7FM+f1yPOxZ43W0QWLlX+zdE37C4prnIx6tD7Jwt
y+vYuJotVQki/MXNhw22c99r8fRmkUs3TWPi4GBvqi3pbqiWzG5ZF61CF8rf1vkk
Rmg1SRFjJhQwV18Z1vZxgE1cAn/OJHZn5Gmwpjz+Io1UO9ADiB6uJLhK//z3UzDY
QisddRo7wLsJF+cCVb1ZA4C3uA8eNx+KQDC9GxfN1uM=
-----END CERTIFICATE-----

The example code of the calling API is like this:

// verify
var caStore = pki.createCaStore(ca);
var ret = false
ret = pki.verifyCertificateChain(caStore, leaf);
console.log(ret)

Looking forward to your reply. Many thanks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@x509-name-testing