NICMx / FORT-validator

RPKI cache validator
MIT License
51 stars 24 forks source link

Review IRIs to file names transition #119

Open ydahhrk opened 7 months ago

ydahhrk commented 7 months ago

Old warning that popped up during a review. I believe this was the train of thought:

  1. The certificate "accessLocation" field is (at heart) an Internationalized Resource Identifier (IRI).
  2. However, the RFC wants it "mapped" (whatever that means) into an Uniform Resource Identifier (URI) when stored in the certificate.
  3. URIs are "sequences of characters from the ASCII character set." (It's not clear whether it equals ASCII or is a subset of ASCII, needs research.)
  4. The field type of the URI is "IA5String". IA5String allows a subset of ASCII. (So it's not clear whether it's entirely compatible with the URI charset, needs research.)
  5. Fort converts those IA5Strings to file paths in the local filesystem.

I think the gist of it is that the RFC's mention of IRIs made me afraid of characters that could translate incorrectly at some point on their way to become file names. Since the certificate field is supposed to be in URI form, it "should" (in theory) convert bureaucracylessly into a IA5String, and the IA5String "should" convert bureaucracylessly into a file name because it's a small subset of ASCII. So the question is whether URIs are fully compatible with IA5Strings.

But also, unless libcrypto does it somewhere, I don't think Fort is validating the IA5String contained in the certificate is, in fact, a valid IA5String.

So this might be a security vulnerability against malicious certificates.