Some characters can result in name confusion in the X.509 hostname verification process

[x509-name-testing]

Hi there,

I am writing to report a bug in the X.509 hostname verification process, which might result in name confusion attacks.

My testing environment is php7/php8. Here are some example codes.

<?php
require 'vendor/autoload.php';
use phpseclib3\File\X509;

$ee_crt = <<<'EOD'
-----BEGIN CERTIFICATE-----
MIIDtTCCAp2gAwIBAgICECEwDQYJKoZIhvcNAQELBQAwYzELMAkGA1UEBhMCVVMx
ITAfBgNVBAoTGFRoZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28g
RGFkZHkgQ2xhc3MgMiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xNjAyMDcx
NzI0MDBaFw0yNDAxMDYwNjQ0NThaMHkxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJD
QTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEUMBIGA1UEChMLR29vZ2xlIEluYy4x
GDAWBgNVBAsTD0dvb2dsZSBSZXNlYXJjaDEVMBMGA1UEAxQMKi5nb29nbGUuY29t
MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEAxUWTaM/RKjoA8urhPYXr
Nh2Oz9HA88XkFIxhD3pm80wBlTTTnymSJJVWKpEJO7OyengVFRIv7U19VAFd8VCh
TCiFl7a4hsiWWQi3zh/NYgj0BnweNriblknBKTze6te1DP8otZ22qBUmhCR27aER
MWE9urWLwMIuJN/hxK234MljS9lBB3fv52RrZzSftga/P5zK34ZOlbnGcLbtoKR3
p0uWakBZM8u/665hQ4u4+YkA2kJy5YSF6wXpYKl29/mj1w9ODJTUFj3KmliiGXeo
2IhYLu4Pq52D7OKjDvKZRKK6tOM8Pii1c310ljlCewCuF/Oy/ygbNmaJG7J8/jTA
pwIBA6NfMF0wDAYDVR0TAQH/BAIwADANBgNVHREEBjAEggJhKzAdBgNVHQ4EFgQU
Zd/yRfldVXIxnAKzGaO6vZrb2XswHwYDVR0jBBgwFoAU4J1tAjJyIZ/+BvOatp4W
N1Fo5MMwDQYJKoZIhvcNAQELBQADggEBAAcwSIxKQegRqCs7adDb3VbqP1Ld0dA6
FydwendbN1P4NaqqdM89NhpOVZ5g60eM4sc08m5oZIMWqjwp3Gyf2pqM2FMQ02zi
1lMRb+t9rtjtZXCdcTjuwySYXw7M7NM0Lxhv7yN9+Vben1RTBWFghk8y4t6sai5L
68hFu+fkQzKIpHE/9cdBS+rtqyCrNit3kvqVhVpGECTS2flTBHnCe7mINojSTOsB
JYhGgW6KsKViE0hzQB8dSAcNcfwQPSKzOd02crXdJ7uYvZZK9prN83Oe1iDaizeA
1ntA2AzsC0OGg/ekAnAlxia3mzcJv0PgxRpSG7xjWSL+FVFTTs2I/wk=
-----END CERTIFICATE-----
EOD;
// the ee cert `DNS=a+`
$name = "aa";

$x509 = new X509();
// $ca = $x509->loadCA(file_get_contents($ca_cert_path));
$ee = $x509->loadX509($ee_crt);

// domain name 
// echo $name; echo "\n";
if (!strpos($name, "//")) {
	$name = "https://" .  $name;
}
$ret = $x509->validateURL($name);
// echo $ret; echo "\n";
echo $ret ? 'ok' : 'error'; echo "\n";
if ($ret) {exit(0);} 
else {exit(1);}
?>

In the previous case, the + matched a, which should be an obvious name confusion. And here are other 2 cases for ur reference:

// ---- case 2
$ee_crt = <<<'EOD'
-----BEGIN CERTIFICATE-----
MIIDtTCCAp2gAwIBAgICECEwDQYJKoZIhvcNAQELBQAwYzELMAkGA1UEBhMCVVMx
ITAfBgNVBAoTGFRoZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28g
RGFkZHkgQ2xhc3MgMiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xNjAyMDcx
NzI0MDBaFw0yNDAxMDYwNjQ0NThaMHkxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJD
QTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEUMBIGA1UEChMLR29vZ2xlIEluYy4x
GDAWBgNVBAsTD0dvb2dsZSBSZXNlYXJjaDEVMBMGA1UEAxQMKi5nb29nbGUuY29t
MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEAxUWTaM/RKjoA8urhPYXr
Nh2Oz9HA88XkFIxhD3pm80wBlTTTnymSJJVWKpEJO7OyengVFRIv7U19VAFd8VCh
TCiFl7a4hsiWWQi3zh/NYgj0BnweNriblknBKTze6te1DP8otZ22qBUmhCR27aER
MWE9urWLwMIuJN/hxK234MljS9lBB3fv52RrZzSftga/P5zK34ZOlbnGcLbtoKR3
p0uWakBZM8u/665hQ4u4+YkA2kJy5YSF6wXpYKl29/mj1w9ODJTUFj3KmliiGXeo
2IhYLu4Pq52D7OKjDvKZRKK6tOM8Pii1c310ljlCewCuF/Oy/ygbNmaJG7J8/jTA
pwIBA6NfMF0wDAYDVR0TAQH/BAIwADANBgNVHREEBjAEggJ8LzAdBgNVHQ4EFgQU
Zd/yRfldVXIxnAKzGaO6vZrb2XswHwYDVR0jBBgwFoAU4J1tAjJyIZ/+BvOatp4W
N1Fo5MMwDQYJKoZIhvcNAQELBQADggEBAITFxU5OdZpH9+fST/rFGvR0oUvF7kY/
+Hob9Sc+I4bFh1Ay862JNRbbTmNQRkvJ4FyMs1bBEukRXXTGZU9GSYpdWKOiK3ct
qCUTlWiwYAeqdWwUMHUj01YtUdJ7sAD8nSXm7jn4uXSH909VBg+EhBut5OkOuGN+
mJh08xfBXCOzGl22IHzkJAv2LErlJB8s43Iw6pyQ99WXK6cSaELpjp+PJvHI+Gtx
htHKqrNKPaCr34AsmrboUKrYYUUz2PZcjPSlW8vlcBF+HiTcOqH7S6P0AWUf1EN1
OrebtJKFd2HCXyvvcA3soLZtXWdnfjbpc/FQLxm41sFBCXxtzDhWzrM=
-----END CERTIFICATE-----
EOD;
// the ee cert `DNS=|/`
$name = "./";

// ---- case 3
$ee_crt = <<<'EOD'
-----BEGIN CERTIFICATE-----
MIIDtTCCAp2gAwIBAgICECEwDQYJKoZIhvcNAQELBQAwYzELMAkGA1UEBhMCVVMx
ITAfBgNVBAoTGFRoZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28g
RGFkZHkgQ2xhc3MgMiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xNjAyMDcx
NzI0MDBaFw0yNDAxMDYwNjQ0NThaMHkxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJD
QTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEUMBIGA1UEChMLR29vZ2xlIEluYy4x
GDAWBgNVBAsTD0dvb2dsZSBSZXNlYXJjaDEVMBMGA1UEAxQMKi5nb29nbGUuY29t
MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEAxUWTaM/RKjoA8urhPYXr
Nh2Oz9HA88XkFIxhD3pm80wBlTTTnymSJJVWKpEJO7OyengVFRIv7U19VAFd8VCh
TCiFl7a4hsiWWQi3zh/NYgj0BnweNriblknBKTze6te1DP8otZ22qBUmhCR27aER
MWE9urWLwMIuJN/hxK234MljS9lBB3fv52RrZzSftga/P5zK34ZOlbnGcLbtoKR3
p0uWakBZM8u/665hQ4u4+YkA2kJy5YSF6wXpYKl29/mj1w9ODJTUFj3KmliiGXeo
2IhYLu4Pq52D7OKjDvKZRKK6tOM8Pii1c310ljlCewCuF/Oy/ygbNmaJG7J8/jTA
pwIBA6NfMF0wDAYDVR0TAQH/BAIwADANBgNVHREEBjAEggIuKzAdBgNVHQ4EFgQU
Zd/yRfldVXIxnAKzGaO6vZrb2XswHwYDVR0jBBgwFoAU4J1tAjJyIZ/+BvOatp4W
N1Fo5MMwDQYJKoZIhvcNAQELBQADggEBADTpAv+TIx6i7phpAgOzx3DPuV21mVx9
4l3paNh1evTzwH6g4joQk3/s96NfvSfbJNKJRWC5tipxBnAbuiz37qZDl3GV7sQ4
9ioJ/jpeo89hN61sQlENCnz0/h6s5W79wHkqSnpYLNCz3jRNzdLGsuAh5FfBB9/z
f/b1zqXtCE4SUoHW8ADoyj42L51wA7MXXY6c7xliA5/IhpE9WX7rSUtpQUKPK9FF
udzPe28AllrZtNYg3XZFzzLqAoD2q0AtqjqetRVDUuMRU+iHemluIeIdbkTuUpR9
F96sJyHwiv6IJW7vW/2LL1kLMEnsvvU+s5/x1vLgsQjcdJCLdKOqMsc=
-----END CERTIFICATE-----
EOD;
// the ee cert `DNS=.+`
$name = "./";

From the cases, it seems some characters, such as +, can act as wildcards in the phpseclib. If so, it should be a security issue. Could the developing team have a look at these cases? Many thanks.

I am looking forward to your reply.

Regards.

[terrafrost]

I'll try to take a look at this within the next few days. I'm doing https://www.indigoalpineguides.com/alpine-cliff-camping this evening and need to prep for that.

[terrafrost]

6cd6e8c should fix this.

Thanks!

[x509-name-testing]

Thanks

…

On Tue, Sep 26, 2023 at 12:07 AM terrafrost ***@***.***> wrote: 6cd6e8c <6cd6e8c> should fix this. Thanks! — Reply to this email directly, view it on GitHub <#1943 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BCP22BXO2RIDO2CWSIQSD4TX4GT35ANCNFSM6AAAAAA476PLEU> . You are receiving this because you authored the thread.Message ID: ***@***.***>