[Cryptography] Verifying X.509 Verification - how about an updated PKITS?
Peter Trei
petertrei at gmail.com
Sun Apr 6 12:25:53 EDT 2014
We've now seen critical errors in two different TLS implementations,
both of which centered around (different) failures to properly
verify X.509 certificate chains.
As problematic as PKI is, these are bugs that shouldn't have happened. But
they're both 'Type II' errors; a failure to recognize a problem that
should have generated an alarm. The 'happy path' code gets tested
all the time - normal operation relies on it working. It's the 'unhappy
path' which only gets exercised when something is going wrong that
implements these holes. Testing the 'unhappy path' is crucial,
since normal operation doesn't run that way. Apparently this wasn't done.
Hard experience has taught us all that its difficult to get developers
to do thorough testing of code that is rarely if ever run, especially if
there's a lot of work involved in setting up the tests.
I found myself thinking about a test suite of certificates which had
known problems, and which *should* cause apps encountering them
to throw errors. Never one to re-invent the wheel, I started poking
around.
What I found was PKITS:
http://csrc.nist.gov/groups/ST/crypto_apps_infra/pki/pkitesting.html
Its about 10 years old.
Reading the tests and related documents, this seems a pretty
reasonable set of tests. It even includes a set of certs which
*should* generate failures.
I'm fully aware that anything crypto-related coming out of NIST
today is viewed with a jaundiced eye. But the tests PKITS claims
to perform seem a good start, and include the critical Type II error
tests.
Can we use an updated version of PKITS? Would such a suite have
picked up the iOS and gnuTLS bugs? I haven't tried yet.
I expect we'd have to generate a new set of busted certificates;
aside from the trust issue, the included certs are all RSAsha1
with 1024 bit keys, and the validity dates are aging out.
Looking at the PKITS tests, can anyone spot anything critical missing?
Does anyone want to update this?
Peter Trei
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140406/2b7795c0/attachment.html>
More information about the cryptography
mailing list