woodruffw
commented
5 months ago And for context, here's a similar issue we filed with another X.509 validator (Go's crypto/x509): https://github.com/golang/go/issues/65085.
Open woodruffw opened 5 months ago
woodruffw
commented
5 months ago And for context, here's a similar issue we filed with another X.509 validator (Go's crypto/x509): https://github.com/golang/go/issues/65085.
Hi there! I'm opening this to help root-cause a handful of anomalous path-building results observed with
certvalidator, which we found with x509-limbo.As a disclaimer: many of these are likely to be non-issues from
certvalidator's perspective, so please don't interpret this issue as a demand or expectation for everything on the linked results page to be fixed. X.509 validators have a huge range of behaviors in practice and many of the failures are either due to "pedantic" readings of RFC 5280 or explicitly unsupported features (e.g. Name Constraints, incertvalidator's case).There are, however, some results for which
certvalidatoris an outlier or otherwise should probably consider some changes. A non-exhaustive sampling:certvalidatoraccepts it;pathological::nc-dos-1andpathological::nc-dos-3: implementations typically establish a NC comparison budget to prevent quadratic blowup, butcertvalidatorappears to churn through them instead (taking over 30 seconds on my machine). I haven't fully root-caused this one, but was surprised sincecertvalidatorotherwise appears to reject any critical NC extensions);webpki::san::wildcard-embedded-leftmost-san: implementations should reject SAN patterns with non-leftmost wildcards (e.g.ba*.example.com), per both RFC 6125 and CABF;cve::cve-2024-0567: this is a test for a chain-building failure in an older version of GnuTLS, whichcertvalidatoralso fails to construct a chain for here. The error here is pretty strange, sincecertvalidatorappears to handle SANs in other contexts.There are others as well, but these ones stood out as initial candidates for fixes.
Please let me know if there's any other information I can provide, or if I can help in any way! I'm not super familiar with
certvalidator's internals, but I may be able to help resolve some of these with some guidance on the codebase 🙂