Closed jsha closed 8 years ago
/cc @agl
@agl Is this important for Go 1.7?
I don't believe that this warrant rushing for 1.7.
Thanks for the issue and repro @jsha. I was bored this evening and decided to take a stab at this with https://go-review.googlesource.com/23571 using most of your repro in the tests. I couldn't find your email though @jsha and so far I have requested a review only from @agl. Please free free to join in.
CL https://golang.org/cl/23571 mentions this issue.
Per agl's comment above and his comment on the CL, postponing to 1.8.
Here's the list of certificates from the Pilot CT log where the chain contains a link that needs canonicalisation before the Subject and Issuer match. It shows the common name of the certificates in that link followed by the common names of each (unexpired) leaf certificate affected by that link.
There's a small number of public certificates affected, mostly by Siemens and WellsFargo's internal CAs. (The UCA root doesn't appear to be in Mozilla yet.)
I'll wait for comments but, based on this, it looks viable that we would want to require a strict match of issuer/subject when checking chains. (I.e. these certificates would break.)
SHECA G2 -> UCA Root (1)
SHECA G2
Justica -> ECRaizEstado (1)
servicos.igsj.mj.pt
AC Firmaprofesional - CUALIFICADOS -> Autoridad de Certificacion Firmaprofesional CIF A62634068 (1)
AC Firmaprofesional - CUALIFICADOS
Siemens Issuing CA Class Internet Server 2013 -> Siemens Internet CA V1.0 (51)
www.industry.siemens.com
sts-online.siemens.com
www.industry.siemens.com
boardroom.siemens.com
cl.siemens.com
events.siemens.nl
messagecockpit.siemens.com
Siemens Issuing CA Class Internet Server 2013
inet.usa.siemens.com
brandville.siemens.com
www.weblogx.siemens.de
www.automatyka.siemens.pl
www.industry.siemens.pl
www.low-medium-voltage.siemens.pl
www.buildingtechnologies.siemens.pl
www.mobility.siemens.pl
bt-service.siemens.nl
author.siemens.com
SMARTBUY.SIEMENS.COM.CN
scdlite.realestate.siemens.com
mes-simaticit.siemens.com
socialmedia.siemens.com
ura-cyp.industrysoftware.automation.siemens.com
mx.siemens.com.hk
ura-col.industrysoftware.automation.siemens.com
download.industrysoftware.automation.siemens.com
shop.healthcare.siemens.com
social.siemens.com
training.plm.automation.siemens.com
www.smc.siemens.de
teamplay.siemens.com
www.plm.automation.siemens.com
plmapps.industrysoftware.automation.siemens.com
psa.industrysoftware.automation.siemens.com
salesforce.industrysoftware.automation.siemens.com
m.plm.automation.siemens.com
www2.industrysoftware.automation.siemens.com
sales.industrysoftware.automation.siemens.com
eintegration.siemens.es
webapp.siemens.it
pkiss-activate-card.siemens.com
pkiss-emergency.siemens.com
gate.public.siemens.com
www.siemens.com.hk
www.ubc.siemens.com.cn
webtac.industrysoftware.automation.siemens.com
www.sitrain-int.siemens.com
partners.sea.siemens.com
adminaccess.public.siemens.com
pkidownload.siemens.com
lmdcontent.industrysoftware.automation.siemens.com
www.medsrv1.com -> AC Firmaprofesional - INFRAESTRUCTURA (1)
www.medsrv1.com
SHECA G2-1 -> UCA Root (35)
SHECA G2-1
fmis.cdtfc.com.cn
ef-g21.wwwtrust.org
www.en.sge.com.cn
www.sge.com.cn
*.haier.com
my.iport.com.cn
capital.hitachi-clc.com.cn
cashflow-cn.kerryprops.com
cw.jxcc.com
www.ibjl-cn.com
www.ewppay.cn
*.shtel.com.cn
www.beckmancoulterdealer.com.cn
mis.baofinance.com
shjljg.scofcom.gov.cn
www.gss-sh.org
www.beckmancoulterdealer.com.cn
yf.sh.cn
epay.whfhjc.com.cn
loan.jlcwgs.com
kenki.hitachi-clc.com.cn
orgs.stcsm.gov.cn
www.payvel.com
116.236.233.34
shca.stats-sh.gov.cn
umsp.sheca.com
sso.fangdi.com.cn
116.236.233.34
www.962600.com
www.ouyeeljg.com
www.ibjl-cn.com
www.beckmancoulterdealer.com.cn
yunpan.bsteel.com
oa.sdmsa.gov.cn
email.fub.edu -> AC Firmaprofesional - INFRAESTRUCTURA (1)
email.fub.edu
usowa.gamesacorp.com -> AC Firmaprofesional - INFRAESTRUCTURA (1)
usowa.gamesacorp.com
mail.lactalisiberia.com -> AC Firmaprofesional - INFRAESTRUCTURA (1)
mail.lactalisiberia.com
*.cofib.es -> AC Firmaprofesional - INFRAESTRUCTURA (1)
*.cofib.es
NRC SSP Agency CA G3 -> Symantec SSP Intermediate CA - G4 (1)
NRC SSP Agency CA G3
NRC SSP Device CA G3 -> Symantec SSP Intermediate CA - G4 (1)
NRC SSP Device CA G3
CA974000002 -> GPKIRootCA (1)
CA974000002
www.csn.es -> AC Firmaprofesional - INFRAESTRUCTURA (1)
www.csn.es
COMODO EV SGC CA -> AAA Certificate Services (1)
COMODO EV SGC CA
www.coflugo.org -> AC Firmaprofesional - INFRAESTRUCTURA (1)
www.coflugo.org
www.rgjr.cn -> CFCA OCA2 (1)
www.rgjr.cn
www.alarmasip.es -> AC Firmaprofesional - INFRAESTRUCTURA (1)
www.alarmasip.es
www.rycard.com -> CFCA OCA2 (1)
www.rycard.com
WoSign Class 3 OV Server CA -> Certification Authority of WoSign (6)
www.huiyuanbao.com
trade1.chinalions.com
trade2.chinalions.com
nbp.szzfgjj.com
mdmservice.hnagroup.net
WoSign Class 3 OV Server CA
Siemens Issuing CA EE Enc -> Siemens Internet CA V1.0 (1)
Siemens Issuing CA EE Enc
CA134040001 -> GPKIRootCA (2)
CA134040001
CA134040001
sso.gamesacorp.com -> AC Firmaprofesional - INFRAESTRUCTURA (1)
sso.gamesacorp.com
*.ayto-miguelturra.es -> AC Firmaprofesional - INFRAESTRUCTURA (1)
*.ayto-miguelturra.es
SHECA Global G2 SSL -> UCA Global Root (58)
www.guanker.com
www.sheca.com
SHECA Global G2 SSL
ycds.cathay-ins.com.cn
www.sheca.com
www.payvel.com
insurance.shanghai-electric.com
*.huashan.org.cn
www.962600.com
mail.chicgroup.com
tstinter.nissay-greatwall.com.cn
58.247.21.59
inter.nissay-greatwall.com.cn
*.qd-n-tax.gov.cn
*.ccb-life.com.cn
www.smflvce.com
*.gwcslife.com
www.watchf.cn
gpm.eland.com
www.962600.com
www.sheca.com
www.imtrust.com
www.imtrust.org
www.sh-immigration.gov.cn
fund.dzqh.com.cn
www.letusign.com
*.jusstickets.com
vpn.chicgroup.com
mail.snnu.edu.cn
ca3.sheca.com
ra.sheca.com
sxfs.95516.com
payupdate.sheca.com
isap.sheca.com
www.smflgz.com.cn
app.kyee.com.cn
oa.sheca.com
sithc.shciq.gov.cn
61.152.215.248
ebank.baofinance.com
*.chubb.com.cn
xxbs.sh.gov.cn
*.chubb.com.cn
cqweb.thalessaic.com.cn
*.e-celap.com
sefc.shanghai-electric.com
www.smflsh.com.cn
58.210.143.12
*.saicfc.com
fxbc.shfdsc.com
*.stcsm.gov.cn
www.yuanjutong.com
vpn.minette.cn
ad.semir.com
vpn.semir.com
user.114mall.com
vpn.balabala.cn
e.coaib.org -> AC Firmaprofesional - INFRAESTRUCTURA (1)
e.coaib.org
aru.enaire.es -> AC Firmaprofesional - INFRAESTRUCTURA (1)
aru.enaire.es
www.idvroom.com -> KEYNECTIS SSL RGS (1)
www.idvroom.com
ibs.wooribankchina.com -> CFCA OCA2 (1)
ibs.wooribankchina.com
U.S. Department of Transportation Device CA G4 -> Symantec SSP Intermediate CA - G4 (1)
U.S. Department of Transportation Device CA G4
Siemens Issuing CA Multipurpose 2013 -> Siemens Internet CA V1.0 (1)
Siemens Issuing CA Multipurpose 2013
serviciosremotos.saludcastillayleon.es -> AC Firmaprofesional - INFRAESTRUCTURA (1)
serviciosremotos.saludcastillayleon.es
WellsSecure Certification Authority 01 G2 -> WellsSecure Public Root Certification Authority 01 G2 (98)
pay-staging.wfhealthcarepatientpay.com
www.wellsfargoretirement.com
online.wfhealthcarepatientpay.com
pay.wfhealthcarepatientpay.com
emm.wellsfargorewards.com
www.mywellsfargorewardsemm.com
www.earnmoremall.com
estatus.wellsfargo.com
www.myfirsthome.wellsfargobank.com
www.myfirsthome.wellsfargobank.com
www.wealthmanagementinsights.com
www.eloansecure.com
wfefs.wellsfargo.com
efs.wellsfargo.com
mobilemerchantcenter.wf.com
www.wellsfargo401konline.com
bizgift.wellsfargobank.com
wellsfargocapitalfinance.com
dealerreports.wellsfargo.com
adminfix.accesswca.com
admin.accesswca.com
ceomobilefix.wellsfargo.com
mdm2.eml.wellsfargo.com
newsearch.wellsfargoadvantagefunds.com
saml.wf.com
csfedportaluatsp-ext.wellsfargo.com
ceomobileuata.wellsfargo.com
wls-cte1.wellsfargo.com
mailpouchuat2.wellsfargo.com
virtuallockbox.wf.com
wwwfix.servicerconnect.com
nsprotect.eml.wellsfargo.com
bp-tch.wellsfargo.com
achgp.wellsfargo.com
vera-nc1.wellsfargo.com
onlineenrolluat.wellsfargo.com
wellsfsuat.wf.com
wcafsfix.wellsfargo.com
mxdioc01.wellsfargo.com
wellsadminfix.wellsfargo.com
wellscontent.wellsfargo.com
pwb.wellsfargo.com
floorplansolutionuat.wf.com
floorplansolution.wf.com
claimspayments.wf.com
whlssp.wellsfargo.com
www.neighborhoodlift.org
fsfix.accesswca.com
rmoluat.wellsfargo.com
wellstrust.wellsfargo.com
lsrt.wfhmevents.com
fix.accesswca.com
realstpfix.wellsfargo.com
online-staging.wfhealthcarepatientpay.com
wifp.wellsfargo.com
wellstrade.wellsfargo.com
www.citylift.com
offeringmaterials.wellsfargosecurities.com
wconnect.eastdilsecured.com
purl.stage.bluespiremarketing.net
wellsadminuat.wellsfargo.com
onlineenrollfix.wellsfargo.com
sso-1mgm-cert.wellsfargo.com
www.mycitylift.org
test.wfb.pointserv.com
sso-1mgm.wellsfargo.com
corestates.com
gpowrpt.wellsfargo.com
ceomobilesit2.wf.com
ceoadmin.wellsfargo.com
www.mycitylift.net
advantagefunds.wellsfargo.com
sso-1mgm-dr.wellsfargo.com
www.neighborhoodlift.net
wellsfsuat.wellsfargo.com
www.mycitylift.com
www.citylift.org
wqa-itn-srv1.qaitn.com
smcwva029.eml.wellsfargo.com
rmol.wellsfargo.com
wcafs.wellsfargo.com
m2mhubuat.wellsfargo.com
chk1.eml.wellsfargo.com
www2.wellsfargofunds.com
ceofraudmanager.wellsfargo.com
www2.wellsfargoadvantagefunds.com
cibt-dp-del.test.wellsfargo.com
gpow.wellsfargo.com
wifpuat.wellsfargo.com
sba504servicing-uat.wellsfargo.com
mail.wellsfargochampionship.com
wwwfix.ctslink.com
m2mhub.wellsfargo.com
lockbox.wf.com
fs.accesswca.com
smtp.eastdilsecured.com
rmolfix.wellsfargo.com
ipsfix.wellsfargo.com
www.citinavarra.com -> AC Firmaprofesional - INFRAESTRUCTURA (1)
www.citinavarra.com
U.S. Department of Transportation Agency CA G4 -> Symantec SSP Intermediate CA - G4 (1)
U.S. Department of Transportation Agency CA G4
Verizon Cybertrust Security Customer CA -> Verizon Business Primary CA (1)
Verizon Cybertrust Security Customer CA
To me, this list looks small enough that it seems reasonable to require the strict match even though these certs would not validate.
go version
)? go version go1.6 linux/amd64go env
)? GOARCH="amd64" GOBIN="/home/jsha/gopkg/bin" GOEXE="" GOHOSTARCH="amd64" GOHOSTOS="linux" GOOS="linux" GOPATH="/home/jsha/gopkg" GORACE="" GOROOT="/home/jsha/go1.6" GOTOOLDIR="/home/jsha/go1.6/pkg/tool/linux_amd64" GO15VENDOREXPERIMENT="1" CC="gcc" GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0" CXX="g++" CGO_ENABLED="1"Per https://tools.ietf.org/html/rfc5280#page-73,
However, in the test code linked above,
ee.CheckSignatureFrom(issuer2)
returns a nil error, even though the subject ofissuer2
is not equal to the issuer ofee
.Successfully verified signature on EE cert from issuer2, expected failure.