golbi
commented
6 years ago Hi Paul First of all sorry it took so long! Second - thank you for the patch, and even more for the very detailed description of the problem and all investigation. That's super helpful.
I'm closing this pull request as it has some minor flaws and one biger. Namely we can not solve the bug this way as this would break one other, legitimate feature of canl: possibility to have multi-pem files. In openssl truststore it is not possible but directory truststore allows for this.
I've fixed this on my own in slightly different way, also added a test case for this.
Motivation:
Now that SHA-1 is considered broken, certificate authorities are migrating to a SHA-2 (e.g., SHA-256) based certificates. This includes the certificate describing the CA itself, or that describe subordinate CAs.
To avoid having to reissue all currently valid EECs, the new SHA-2 certificate has the same DN and identification elements (authorityKeyIdentifier and subjectKeyIdentifier, as appropriate). Therefore, the 'hash' (used to create the filename within the OpenSSL-like trust-store) remains the same.
It has been reported that, after installing the new SHA-2 CA certificate, EECs issued by such CAs are no longer considered valid:
This is caused by the CaNL in-memory trust store mistakenly containing both the old (SHA-1) and new (SHA-2) certificates. When validating an EEC, that there are two matching TrustAnchor instances from the trust-store is considered an error condition and prevents the validation from succeeding.
As pointed out by Robert in the above ticket, the root cause is that, although the old and new certificates have the same filename, the certificates are not actually the same. This difference prevents the new certificate from evicting the old certificate.
Modification:
In part, this problem stems from the same information being held in two places. Therefore this patch fixes this issue simply by removing that duplication.
Result:
Valid EECs will verify correctly after the CA that issued the EEC has modified its certificate in a way that modifies the certificate without changing the filename hash.