search

kaikramer / keystore-explorer

KeyStore Explorer is a free GUI replacement for the Java command-line utilities keytool and jarsigner.
https://keystore-explorer.org/
GNU General Public License v3.0
1.7k stars 275 forks source link

Bug Report: Keys can be used in ways that the key usage data should prohibit. #478

Closed Videogamer555 closed 9 months ago

Videogamer555 commented 9 months ago

Describe the bug Certificates are allowed to do things that the internal constraint/usage data is supposed to prevent.

To Reproduce Steps to reproduce the behavior: Create a certificate that doesn't have CA for basic constraint, and then try to use that certificate to issue a new certificate (right click on it and select Sign > Sign New Key Pair. Another thing to try is take a certificate configured for HTTPS server authentication (when making the certificate, you went to Add Extensions > Use Standard Template > SSL Server) and use it to sign a JAR file.

Expected behavior Both of these should either fail when you attempt this, with a warning message about missing permission in the certificate, or alternatively uses that would violate the permissions of the selected certificate shouldn't appear in the right-click menu for that certificate.

Actual behavior Such uses of certificates in violation of the permissions stored in the certificates are available in the menu, and actually succeed when you attempt to do those actions.

Environment

jpstotz commented 9 months ago

In general I would call this a featur not a bug. For security tests generating invalid certificate chains is a nice feature. So from my perspective I would say it may be sufficient to inform the user that the currently selected action violates the restrictions and ask if the user still wants to continue.

kaikramer commented 9 months ago

To elaborate on what @jpstotz already has explained: The most common use case for issuing certificates with KSE is testing. Usually feature requests from users are for allowing more things (not for more restrictions). For example one request was to be able to issue certificates with a notAfter that lies in the past. Following your arguments it should not be possible to issue expired certificates. But as a matter of fact this is extremely useful for testing.

If you are issuing certificates for productive purposes then a QA process has to be put in place to make sure the result matches the requirements anyway - regardless of the software.

So thank you for taking the time to write a bug report, I really appreciate that, but KSE works as intended here.