Project

General

Profile

Bug #2515

Signature scheme constraints are only checked against the root certificate and not the complete trust chain

Added by Jafar Al-Gharaibeh over 2 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Category:
libstrongswan
Target version:
Start date:
Due date:
Estimated time:
Affected version:
5.6.0
Resolution:
Fixed

Description

I have this setup

CA cert : RSA 4096
=> Intermediate CA : RSA 4096
> > Intermediate CA : RSA 2048
> > ==> End Entity cert1 : RSA 2048

When I configure rightauth locallay for a peer that uses cert1 with

rightauth=RSA-4096

The connection to the peer succeeds and works. I expected it to fail since the peer cert is using RSA-2048. Only if I set rightauth to something greater than 4096, such as 8196 the connection fails.

The constraint in rightauth doesn't seem to be applied to all of the certificate in the trust chain.

Associated revisions

Revision c7263577 (diff)
Added by Tobias Brunner over 2 years ago

auth-cfg: Classify key strengths as multi value rules

If that's not the case only the last value added would be considered
not all the keys of a trust chain.

Fixes #2515.

History

#1 Updated by Tobias Brunner over 2 years ago

  • Tracker changed from Issue to Bug
  • Category set to libstrongswan
  • Status changed from New to Feedback
  • Target version set to 5.6.2

I think the problem is that these key strength rules are not classified as multi value rules, which means only the value added last is actually used (in this case the root CA). I pushed a fix to the 2515-auth-rule-strength branch.

#2 Updated by Jafar Al-Gharaibeh over 2 years ago

Tobias,

I tested the fix, it works as expected now.

Please close the bug and merge the fix if you are OK with this.

Thank you,
Jafar

#3 Updated by Tobias Brunner over 2 years ago

  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to Fixed

I tested the fix, it works as expected now.

Please close the bug and merge the fix if you are OK with this.

Thanks for testing. I've merged it to master.

#4 Updated by Tobias Brunner over 2 years ago

  • Subject changed from Potential X.509 signature scheme validation with trust chain to Signature scheme constraints are only checked against the root certificate and not the complete trust chain

Also available in: Atom PDF