Issue 4657080: code review 4657080: crypto/x509: prevent chain cycles in Verify

Issue 4657080: code review 4657080: crypto/x509: prevent chain cycles in Verify (Closed)

Can't Edit
Can't Publish+Mail
Start Review

Created:
13 years, 8 months ago by agl1

Modified:
13 years, 8 months ago

Reviewers:

CC:
bradfitz, golang-dev

Visibility:
Public.

Description

crypto/x509: prevent chain cycles in Verify It's possible to include a self-signed root certificate as an intermediate and push Verify into a loop. I already had a test for this so I thought that it was ok, but it turns out that the test was void because the Verisign root certificate doesn't contain the "IsCA" flag and so it wasn't an acceptable intermediate certificate for that reason.

Patch Set 1 #

Patch Set 2 : diff -r f822b48fedeb https://go.googlecode.com/hg/ #

Patch Set 3 : diff -r f822b48fedeb https://go.googlecode.com/hg/ #

Patch Set 4 : diff -r 5f2ce0cf2484 https://go.googlecode.com/hg/ #

Created: 13 years, 8 months ago

Download [raw] [tar.bz2]

		Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+17 lines, -10 lines)			Patch
	M	src/pkg/crypto/x509/verify.go	View	1	1 chunk	+6 lines, -0 lines	0 comments	Download
	M	src/pkg/crypto/x509/verify_test.go	View	1	2 chunks	+11 lines, -10 lines	0 comments	Download

Messages

Total messages: 3

Expand All Messages | Collapse All Messages

agl1

Hello bradfitz@golang.org (cc: golang-dev@googlegroups.com), I'd like you to review this change to https://go.googlecode.com/hg/

13 years, 8 months ago (2011-07-07 17:59:14 UTC) #1

bradfitz

LGTM On Thu, Jul 7, 2011 at 10:59 AM, <agl@golang.org> wrote: > Reviewers: bradfitz, > ...

13 years, 8 months ago (2011-07-07 18:01:47 UTC) #2

LGTM

On Thu, Jul 7, 2011 at 10:59 AM, <agl@golang.org> wrote:

> Reviewers: bradfitz,
>
> Message:
> Hello bradfitz@golang.org (cc: golang-dev@googlegroups.com),
>
> I'd like you to review this change to
> https://go.googlecode.com/hg/
>
>
> Description:
> crypto/x509: prevent chain cycles in Verify
>
> It's possible to include a self-signed root certificate as an
> intermediate and push Verify into a loop.
>
> I already had a test for this so I thought that it was ok, but it
> turns out that the test was void because the Verisign root certificate
> doesn't contain the "IsCA" flag and so it wasn't an acceptable
> intermediate certificate for that reason.
>
> Please review this at
http://codereview.appspot.com/**4657080/<http://codereview.appspot.com/4657080/>
>
> Affected files:
>  M src/pkg/crypto/x509/verify.go
>  M src/pkg/crypto/x509/verify_**test.go
>
>
> Index: src/pkg/crypto/x509/verify.go
> ==============================**==============================**=======
> --- a/src/pkg/crypto/x509/verify.**go
> +++ b/src/pkg/crypto/x509/verify.**go
> @@ -171,8 +171,14 @@
>                chains = append(chains, appendToFreshChain(**currentChain,
> root))
>        }
>
> +nextIntermediate:
>        for _, intermediateNum := range
opts.Intermediates.**findVerifiedParents(c)
> {
>                intermediate := opts.Intermediates.certs[**intermediateNum]
> +               for _, cert := range currentChain {
> +                       if cert == intermediate {
> +                               continue nextIntermediate
> +                       }
> +               }
>                err = intermediate.isValid(**intermediateCertificate, opts)
>                if err != nil {
>                        continue
> Index: src/pkg/crypto/x509/verify_**test.go
> ==============================**==============================**=======
> --- a/src/pkg/crypto/x509/verify_**test.go
> +++ b/src/pkg/crypto/x509/verify_**test.go
> @@ -72,16 +72,6 @@
>                },
>        },
>        {
> -               leaf:          googleLeaf,
> -               intermediates: []string{verisignRoot, thawteIntermediate},
> -               roots:         []string{verisignRoot},
> -               currentTime:   1302726541,
> -
> -               expectedChains: [][]string{
> -                       []string{"Google", "Thawte", "VeriSign"},
> -               },
> -       },
> -       {
>                leaf:          dnssecExpLeaf,
>                intermediates: []string{startComIntermediate}**,
>                roots:         []string{startComRoot},
> @@ -91,6 +81,17 @@
>                        []string{"dnssec-exp", "StartCom Class 1", "StartCom
> Certification Authority"},
>                },
>        },
> +       {
> +               leaf:          dnssecExpLeaf,
> +               intermediates: []string{startComIntermediate,
> startComRoot},
> +               roots:         []string{startComRoot},
> +               currentTime:   1302726541,
> +
> +               expectedChains: [][]string{
> +                       []string{"dnssec-exp", "StartCom Class 1",
> "StartCom Certification Authority"},
> +                       []string{"dnssec-exp", "StartCom Class 1",
> "StartCom Certification Authority", "StartCom Certification Authority"},
> +               },
> +       },
>  }
>
>  func expectHostnameError(t *testing.T, i int, err os.Error) (ok bool) {
>
>
>

agl1

13 years, 8 months ago (2011-07-07 22:06:59 UTC) #3

*** Submitted as http://code.google.com/p/go/source/detail?r=8c5c270c9653 ***

crypto/x509: prevent chain cycles in Verify

It's possible to include a self-signed root certificate as an
intermediate and push Verify into a loop.

I already had a test for this so I thought that it was ok, but it
turns out that the test was void because the Verisign root certificate
doesn't contain the "IsCA" flag and so it wasn't an acceptable
intermediate certificate for that reason.

R=bradfitz
CC=golang-dev
http://codereview.appspot.com/4657080

Expand All Messages | Collapse All Messages