Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inconsistent IDP extension constraint check #11467

Merged
merged 2 commits into from
Oct 12, 2024
Merged

Inconsistent IDP extension constraint check #11467

merged 2 commits into from
Oct 12, 2024

Conversation

hwooley
Copy link
Contributor

@hwooley hwooley commented Aug 21, 2024

Hello, I found an inconsistent IDP extension constraint check per RFC5280 Section 5.2.5. I do not think the indirectCRL needs to be subject to that. Excerpt from the RFC:

-- at most one of onlyContainsUserCerts, onlyContainsCACerts,
-- and onlyContainsAttributeCerts may be set to TRUE.

Thank you

@hwooley
Per RFC5280 Section 5.2.5, the Issuing Distribution Point extension i…
8ccec8d 
…n a CRL can have only one of onlyContainsUserCerts, onlyContainsCACerts, onlyContainsAttributeCerts set to TRUE. However, extensions.py (lines 1991 : 2003), indirectCRL is also included, which leads to invalid CRL even if the RFC requirement is met. The proposed fix is to drop indirectCRL from the check so it conforms to the RFC.
@alex
Copy link
Member

alex commented Aug 21, 2024 via email

@woodruffw
Copy link
Contributor

Cc: @woodruffw this may be a CABF requirement

Here's the relevant CABF section: https://cabforum.org/working-groups/server/baseline-requirements/requirements/#7221-crl-issuing-distribution-point

The indirectCRL and onlyContainsAttributeCerts fields MUST be set to FALSE (i.e., not asserted).

The CA MAY set either of the onlyContainsUserCerts and onlyContainsCACerts fields to TRUE, depending on the scope of the CRL.

The CA MUST NOT assert both of the onlyContainsUserCerts and onlyContainsCACerts fields.

So CABF is consistent with 5280 on this, it seems, insofar as onlyContainsAttributeCerts is always FALSE and the other two are always exclusive of each other.

(I think this has no effect on the validator, though, since this extension is for CRLs only and not CAs/leafs?)

@hwooley
Copy link
Contributor Author

hwooley commented Aug 22, 2024

Ah, I see... I think your comment about the having no effect on the validator may be true though I am not 100% sure. But, wouldn't this check mean that indirectCRL can never be set to TRUE in the CRL for it to be valid? I basically discovered this when loading the CRL that contains the IDP with indirectCRL, onlyContainsUserCerts set to TRUE.

@alex
Copy link
Member

alex commented Aug 25, 2024

@reaperhulk do you remember why we did this? just an accident?

Either way, it seems like this change is correct, and if you can fix the tests, we can get this merged.

@reaperhulk
Copy link
Member

Yes this appears to be a mistake, so if the tests get fixed here then this fix looks correct.

@hwooley
Copy link
Contributor Author

hwooley commented Sep 24, 2024

Hi @alex I can work on fixing the tests. Would you let me know how I can invoke the tests locally?

@alex
Copy link
Member

alex commented Sep 24, 2024 via email

@hwooley
Copy link
Contributor Author

hwooley commented Oct 11, 2024
edited
Loading

Thank you. I shorted the comment line and also removed the invalid test case. I used nox -e local to check. All test cases passed. Could you take a look? Test is still running but I see one failure "CI / distros (ubuntu-rolling:aarch64, tests, self-hosted, Linux, ARM64) (pull_request)". Not sure if this is related to the IDP change. First time doing this, so let me know if I missed anything. Thank you.

@alex alex enabled auto-merge (squash) October 12, 2024 01:41
@alex alex merged commit 6bd5d49 into pyca:main Oct 12, 2024
59 checks passed
@alex
Copy link
Member

alex commented Oct 12, 2024

Thanks for contributing!

@hwooley
Copy link
Contributor Author

hwooley commented Oct 12, 2024

You bet!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alex alex alex approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@hwooley @alex @woodruffw @reaperhulk