I’d also like to add that amongst the linters that are available publicly, only x509lint (https://github.com/kroeckx/x509lint) flags this error. Neither zlint or certlint flag this.
It would probably be useful for Mozilla to add running x509lint alongside zlint and cablint as part of its evaluation process for new root certificate inclusions. Thanks, Corey From: 'Aaron Gable' via [email protected] <[email protected]> Sent: Tuesday, June 21, 2022 1:59 PM To: [email protected] Cc: [email protected] Subject: Re: Malformed Trustwave certificates in Mozilla's ca cert collection I just had to do a bunch of digging to fully understand what's going on here, so I figured I'd share for the benefit of everyone else. The keyUsage extension bitstring in these certificates is encoded as 03 03 07 06 00. Those bytes are interpreted as follows: 03: This item is a BIT STRING 03: This item has a length of 3 bytes 07: The least significant 7 bits of the remaining bytes should be ignored 06 00: The bits 0000 0110 0XXX XXXX (with Xs representing ignored bits as indicated by the 07 byte) This means that the final keyUsage bitstring is 000001100. This has a length of 9 bits, which makes some sense given that there are 9 possible bits (indexed 0 through 8) that can be set in the keyUsage extension specification <https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.3> . This bit string indicates the keyCertSign (5) and crlSign (6) key usages. However, there is another (shorter!) way to encode the exact same value. There are two zero-bits at the end of that nine-bit string, so it could instead be encoded as 03 02 01 06: 03: This item is a BIT STRING 02: This item has a length of 2 bytes 01: The least significant 1 bit of the remaining byte should be ignored 06: The bits 0000 011X This results in a keyUsage bit string of 0000011, which also equivalently indicates the keyCertSign (5) and crlSign (6) key usages. Finally, the Distinguished Encoding Rules (DER, X.690 <https://www.itu.int/rec/T-REC-X.690-202102-I/en> ) requires that this second shorter encoding be used: > 11.2.2 Where Rec. ITU-T X.680 | ISO/IEC 8824-1, 22.7, applies, the bitstring > shall have all trailing 0 bits removed before it is encoded. And the cited section of X.680 <https://www.itu.int/rec/T-REC-X.680-202102-I/en> says: > 22.7 When a "NamedBitList" is used in defining a bitstring type ASN.1 > encoding rules are free to add (or remove) arbitrarily any trailing 0 bits to > (or from) values that are being encoded or decoded. Application designers > should therefore ensure that different semantics are not associated with such > values which differ only in the number of trailing 0 bits. The keyUsage extension is specified using the "NamedBitList" syntax, so BER says arbitrarily many trailing 0 bits may be dropped, so DER says they must be dropped. Therefore the encoding used in the two certificates in this thread is incorrect. Aaron On Tue, Jun 21, 2022 at 6:28 AM Jeffrey Walton <[email protected] <mailto:[email protected]> > wrote: Hi Everyone, We use cURL's cacert.pem to validate our implementation. cURL's cacert.pem uses Mozilla's certificates as a source.[1] When testing our code with cURL's cacert.pem we are seeing errors. The errors are relatively new. The code has been solid for the last 4 or 5 years. It looks like Trustwave is distributing malformed certificates. Below Gutmann's dumpasn1 is having trouble, too. Notice the ''Error: Spurious zero bits in bitstring": $ openssl x509 -in trustwave-1.pem -inform PEM -out trustwave-1.der -outform DER $ dumpasn1 trustwave-1.der 0 608: SEQUENCE { 4 519: SEQUENCE { 8 3: [0] { 10 1: INTEGER 2 : } 13 12: INTEGER 0D 6A 5F 08 3F 28 5C 3E 51 95 DF 5D 27 10: SEQUENCE { 29 8: OBJECT IDENTIFIER ecdsaWithSHA256 (1 2 840 10045 4 3 2) : } 39 145: SEQUENCE { 42 11: SET { 44 9: SEQUENCE { 46 3: OBJECT IDENTIFIER countryName (2 5 4 6) 51 2: PrintableString 'US' : } : } 55 17: SET { 57 15: SEQUENCE { 59 3: OBJECT IDENTIFIER stateOrProvinceName (2 5 4 8) 64 8: PrintableString 'Illinois' : } : } 74 16: SET { 76 14: SEQUENCE { 78 3: OBJECT IDENTIFIER localityName (2 5 4 7) 83 7: PrintableString 'Chicago' : } : } 92 33: SET { 94 31: SEQUENCE { 96 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 101 24: PrintableString 'Trustwave Holdings, Inc.' : } : } 127 58: SET { 129 56: SEQUENCE { 131 3: OBJECT IDENTIFIER commonName (2 5 4 3) 136 49: PrintableString : 'Trustwave Global ECC P256 Certification Authorit' : 'y' : } : } : } 187 30: SEQUENCE { 189 13: UTCTime 23/08/2017 19:35:10 GMT 204 13: UTCTime 23/08/2042 19:35:10 GMT : } 219 145: SEQUENCE { 222 11: SET { 224 9: SEQUENCE { 226 3: OBJECT IDENTIFIER countryName (2 5 4 6) 231 2: PrintableString 'US' : } : } 235 17: SET { 237 15: SEQUENCE { 239 3: OBJECT IDENTIFIER stateOrProvinceName (2 5 4 8) 244 8: PrintableString 'Illinois' : } : } 254 16: SET { 256 14: SEQUENCE { 258 3: OBJECT IDENTIFIER localityName (2 5 4 7) 263 7: PrintableString 'Chicago' : } : } 272 33: SET { 274 31: SEQUENCE { 276 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 281 24: PrintableString 'Trustwave Holdings, Inc.' : } : } 307 58: SET { 309 56: SEQUENCE { 311 3: OBJECT IDENTIFIER commonName (2 5 4 3) 316 49: PrintableString : 'Trustwave Global ECC P256 Certification Authorit' : 'y' : } : } : } 367 89: SEQUENCE { 369 19: SEQUENCE { 371 7: OBJECT IDENTIFIER ecPublicKey (1 2 840 10045 2 1) 380 8: OBJECT IDENTIFIER prime256v1 (1 2 840 10045 3 1 7) : } 390 66: BIT STRING : 04 7E FB 6C E6 23 E3 73 32 08 CA 60 E6 53 9C BA : 74 8D 18 B0 78 90 52 80 DD 38 C0 4A 1D D1 A8 CC : 93 A4 97 06 38 CA 0D 15 62 C6 8E 01 2A 65 9D AA : DF 34 91 2E 81 C1 E4 33 92 31 C4 FD 09 3A A6 3F : AD : } 458 67: [3] { 460 65: SEQUENCE { 462 15: SEQUENCE { 464 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19) 469 1: BOOLEAN TRUE 472 5: OCTET STRING, encapsulates { 474 3: SEQUENCE { 476 1: BOOLEAN TRUE : } : } : } 479 15: SEQUENCE { 481 3: OBJECT IDENTIFIER keyUsage (2 5 29 15) 486 1: BOOLEAN TRUE 489 5: OCTET STRING, encapsulates { 491 3: BIT STRING 7 unused bits : '001100000'B : Error: Spurious zero bits in bitstring. : } : } 496 29: SEQUENCE { 498 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14) 503 22: OCTET STRING, encapsulates { 505 20: OCTET STRING : A3 41 06 AC 90 6D D1 4A EB 75 A5 4A 10 99 B3 B1 : A1 8B 4A F7 : } : } : } : } : } 527 10: SEQUENCE { 529 8: OBJECT IDENTIFIER ecdsaWithSHA256 (1 2 840 10045 4 3 2) : } 539 71: BIT STRING, encapsulates { 542 68: SEQUENCE { 544 32: INTEGER : 07 E6 54 DA 0E A0 5A B2 AE 11 9F 87 C5 B6 FF 69 : DE 25 BE F8 A0 B7 08 F3 44 CE 2A DF 08 21 0C 37 578 32: INTEGER : 2D 26 03 A0 05 BD 6B D1 F6 5C F8 65 CC 86 6D B3 : 9C 34 48 63 84 09 C5 8D 77 1A E2 CC 9C E1 74 7B : } : } : } 0 warnings, 1 error. Here are the certificates: Trustwave Global ECC P256 Certification Authority ================================================= -----BEGIN CERTIFICATE----- MIICYDCCAgegAwIBAgIMDWpfCD8oXD5Rld9dMAoGCCqGSM49BAMCMIGRMQswCQYDVQQGEwJVUzER MA8GA1UECBMISWxsaW5vaXMxEDAOBgNVBAcTB0NoaWNhZ28xITAfBgNVBAoTGFRydXN0d2F2ZSBI b2xkaW5ncywgSW5jLjE6MDgGA1UEAxMxVHJ1c3R3YXZlIEdsb2JhbCBFQ0MgUDI1NiBDZXJ0aWZp Y2F0aW9uIEF1dGhvcml0eTAeFw0xNzA4MjMxOTM1MTBaFw00MjA4MjMxOTM1MTBaMIGRMQswCQYD VQQGEwJVUzERMA8GA1UECBMISWxsaW5vaXMxEDAOBgNVBAcTB0NoaWNhZ28xITAfBgNVBAoTGFRy dXN0d2F2ZSBIb2xkaW5ncywgSW5jLjE6MDgGA1UEAxMxVHJ1c3R3YXZlIEdsb2JhbCBFQ0MgUDI1 NiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABH77bOYj 43MyCMpg5lOcunSNGLB4kFKA3TjASh3RqMyTpJcGOMoNFWLGjgEqZZ2q3zSRLoHB5DOSMcT9CTqm P62jQzBBMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwcGADAdBgNVHQ4EFgQUo0EGrJBt 0UrrdaVKEJmzsaGLSvcwCgYIKoZIzj0EAwIDRwAwRAIgB+ZU2g6gWrKuEZ+Hxbb/ad4lvvigtwjz RM4q3wghDDcCIC0mA6AFvWvR9lz4ZcyGbbOcNEhjhAnFjXca4syc4XR7 -----END CERTIFICATE----- Trustwave Global ECC P384 Certification Authority ================================================= -----BEGIN CERTIFICATE----- MIICnTCCAiSgAwIBAgIMCL2Fl2yZJ6SAaEc7MAoGCCqGSM49BAMDMIGRMQswCQYDVQQGEwJVUzER MA8GA1UECBMISWxsaW5vaXMxEDAOBgNVBAcTB0NoaWNhZ28xITAfBgNVBAoTGFRydXN0d2F2ZSBI b2xkaW5ncywgSW5jLjE6MDgGA1UEAxMxVHJ1c3R3YXZlIEdsb2JhbCBFQ0MgUDM4NCBDZXJ0aWZp Y2F0aW9uIEF1dGhvcml0eTAeFw0xNzA4MjMxOTM2NDNaFw00MjA4MjMxOTM2NDNaMIGRMQswCQYD VQQGEwJVUzERMA8GA1UECBMISWxsaW5vaXMxEDAOBgNVBAcTB0NoaWNhZ28xITAfBgNVBAoTGFRy dXN0d2F2ZSBIb2xkaW5ncywgSW5jLjE6MDgGA1UEAxMxVHJ1c3R3YXZlIEdsb2JhbCBFQ0MgUDM4 NCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTB2MBAGByqGSM49AgEGBSuBBAAiA2IABGvaDXU1CDFH Ba5FmVXxERMuSvgQMSOjfoPTfygIOiYaOs+Xgh+AtycJj9GOMMQKmw6sWASr9zZ9lCOkmwqKi6vr /TklZvFe/oyujUF5nQlgziip04pt89ZF1PKYhDhloKNDMEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNV HQ8BAf8EBQMDBwYAMB0GA1UdDgQWBBRVqYSJ0sEyvRjLbKYHTsjnnb6CkDAKBggqhkjOPQQDAwNn ADBkAjA3AZKXRRJ+oPM+rRk6ct30UJMDEr5E0k9BpIycnR+j9sKS50gU/k6bpZFXrsY3crsCMGcl CrEMXu6pY5Jv5ZAL/mYiykf9ijH3g/56vxC+GCsej/YpHpRZ744hN8tRmKVuSw== -----END CERTIFICATE----- [1] https://curl.se/docs/caextract.html Jeff -- You received this message because you are subscribed to the Google Groups "[email protected] <mailto:[email protected]> " group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:dev-security-policy%[email protected]> . To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAH8yC8m7c3Dg8DEt%3DTT0Hh1icRXOE356aEu6iEUegTwxvNtWRQ%40mail.gmail.com. -- You received this message because you are subscribed to the Google Groups "[email protected] <mailto:[email protected]> " group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnErfQ64AzUUN-syGL%2B%2BxxZFn-UXs9uD7NaeTEygEMhvc3ow%40mail.gmail.com <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnErfQ64AzUUN-syGL%2B%2BxxZFn-UXs9uD7NaeTEygEMhvc3ow%40mail.gmail.com?utm_medium=email&utm_source=footer> . -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/DM6PR14MB218605337C4CC540D8E6DFCB92B39%40DM6PR14MB2186.namprd14.prod.outlook.com.
smime.p7s
Description: S/MIME cryptographic signature
