search

Mbed-TLS / mbedtls

An open source, portable, easy to use, readable and flexible TLS library, and reference implementation of the PSA Cryptography API. Releases are on a varying cadence, typically around 3 - 6 months between releases.
https://www.trustedfirmware.org/projects/mbed-tls/
Other
5.25k stars 2.56k forks source link

Error parsing CA file #9324

Open Skybound1 opened 3 months ago

Skybound1 commented 3 months ago

Summary

Arch Linux has switched to using mbed for ffmpeg. This caused a few breakages which have been fixed by including system CAs (as described in https://gitlab.archlinux.org/archlinux/packaging/packages/ffmpeg/-/issues/10).

I have a few custom root CAs loaded into my systems trust store. One of which is a CA with a name constraint as a critical extension, which I understand is not currently supported by mbed (https://github.com/Mbed-TLS/mbedtls/issues/8759).

This leads to the error mbedtls_x509_crt_parse_file for CA cert returned 1 when loading the systems CA file.

System information

Mbed TLS version (number or commit id): Operating system and version: Arch Linux Configuration (if not default, please attach mbedtls_config.h): Compiler and options (if you used a pre-built binary, please indicate how you obtained it): Compiled into ffmpeg as part of Arch Linux distribution from package manager Additional environment information:

Expected behavior

A CA that cannot be parsed should not stop the parsing and loading of other root certificates from a CA file. The problematic CA should be ignored, and the remainder of the CAs should still be parsed and loaded if valid.

Actual behavior

A CA that cannot be parsed stops the parsing of other CAs in the same CA file, regardless of whether the rest are valid or not.

Steps to reproduce

Additional information

paul-elliott-arm commented 3 months ago

Hi @Skybound1 - The failure to parse any other certs once one cert fails sounds like an implementation detail outside of our library I am afraid, there is nothing we do that would affect that, so it may be worth also reporting this upstream to ffmpeg.

I will raise this issue again with the team, but again, its not something we are likely to have time to implement in the immediate future.

Skybound1 commented 3 months ago

Ah fair enough, sorry about that. Will also raise with ffmpeg.

Skybound1 commented 3 months ago

Reading through the code, am I correct in understanding that mbedtls_x509_crt_parse_file returns < 0 for error, 0 for no errors, and > 0 if there is a count of specific certificates that failed to load, but otherwise not an overall error?

paul-elliott-arm commented 3 months ago

And to re-iterate, we would welcome any patch that implemented this.

davidhorstmann-arm commented 3 months ago

Reading through the code, am I correct in understanding that mbedtls_x509_crt_parse_file returns < 0 for error, 0 for no errors, and > 0 if there is a count of specific certificates that failed to load, but otherwise not an overall error?

When a critical extension fails parsing we return MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG. If the extension is not marked as critical we continue parsing and ignore the failure.

The correct workaround for extensions not supported by Mbed TLS is for the calling code to supply an extension-parsing callback function that parses the extension.