ssl: bug fix: verify cert signature against original cert DER

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

ssl: bug fix: verify cert signature against original cert DER

Matthew Campbell

Our Erlang/OTP program calls out to a third-party web service over HTTPS. That web server's certificate includes the `id-ce-keyUsage` extension with typical values for a web server: `digitalSignature` and `keyEncipherment`. However, the bit string representation for this value is encoded in a nonstandard way:

    733:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Key Usage
    738:d=5  hl=2 l=   1 prim: BOOLEAN           :255
    741:d=5  hl=2 l=   4 prim: OCTET STRING      [HEX DUMP]:030200A0

The `00` byte indicates zero unused bits in the bit-string. Standard encoding has `05` instead, since only bits 1 and 3 are set, leaving 5 trailing zero bits.

This certificate parses just fine in OTP, but because it does not include the necessary fields in its `id-ce-authorityKeyIdentifier` extension the issuer must be looked-up in the CertDB. Because OTP encodes the key usages according to standard as hex `030205A0`, the process of re-encoding the certificate when searching for the issuer in the CertDB causes signature verification to fail erroneously, causing our program's client to fail validation of the server's certificate with the alert `unknown_ca`.

My patch provided the original binary DER to the `pkix_verify` function used during the fold over the CertDB, avoiding false negatives due to differences
between DER encoding implementations of OTP and other platforms. PR submitted at

git fetch git:// mc/ssl_patch

erlang-patches mailing list
[hidden email]