Created attachment 76225 [details]
Ignored Entrust certificate (plain PEM)
I'm attaching a certificate, which is marked positive for all purposes, but which is apparently being ignored by p11-kit-trust.so
It isn't shown in Firefox cert manager.
It isn't contained in the pem-bundle nor in the pem-directory output.
Hmmm. This certificate is not a valid CA. It is a version 3 CA, but has no Basic Constraints extension.
22.214.171.124. Basic Constraints
The basic constraints extension identifies whether the subject of the
certificate is a CA and the maximum depth of valid certification
paths that include this certificate.
The cA boolean indicates whether the certified public key may be used
to verify certificate signatures. If the cA boolean is not asserted,
then the keyCertSign bit in the key usage extension MUST NOT be
asserted. If the basic constraints extension is not present in a
version 3 certificate, or the extension is present but the cA boolean
is not asserted, then the certified public key MUST NOT be used to
verify certificate signatures.
Conforming CAs MUST include this extension in all CA certificates
that contain public keys used to validate digital signatures on
certificates and MUST mark the extension as critical in such
So if we want to override this, we can do so with a stapled certificate extension. Making this depend on bug #62156.
Do we need a short term solution?
Here is some research around the affected root CA cert.
I've proposed a potential solution upstream, but I'm not sure if it's acceptable for upstream.
(In reply to comment #1)
> So if we want to override this, we can do so with a stapled certificate
> extension. Making this depend on bug #62156.
> Do we need a short term solution?
I'm afraid we'll probably need one.
But let's wait a few days for upstream reactions, especially from Entrust.
I think we have the following options:
Ship the replacement intermediate as trusted on Fedora.
This would deviate from upstream behaviour, and wouldn't trust any certificates that have been issued prior to Mar 23 15:18:27 2009 GMT.
I think we shouldn't do that.
Find a workaround that allows p11-kit-trust.so to accept the Entrust-1999 cert as a root CA, despite it's lack of the basic constraint extension.
Although you are right, it's against the specs, this is a legacy certificate.
Because upstream Firefox and NSS do currently support it correctly, p11-kit-trust.so can only be accepted as a complete drop-in replacement, if it delivers the equivalent set of trusted roots.
I believe upstream NSS accepts it, because it doesn't attempt to check all attributes of certificates that been explicitly been marked as trusted.
Would it be possible to p11-kit-trust.so to act in the same way?
At least until you have extension stapling implemented?
Hope that Entrust approves the pledge that I proposed ustream.
However, even if they did, we'd still have to worry about a detail.
The question is, would upstream Mozilla mark the intermediate as explicitly trusted, or simply add it without explicit trust?
If upstream added it without explicit trust, then upstream would work correctly. However, our extraction wouldn't work - because our extraction only acts on certificates with explicit trust flags. I believe it ignores certificates with neutral trust.
This means, if we wanted a solution that fixes the issue without any work to the p11-kit system, then it would be required that upstream adds the intermediate with explicit trust.
It seems likely that there will be a solution for this issue soon.
Entrust has already asked that Mozilla replaces the non-BCE root with a completely equivalent BCE-containing root, this work is being tracked in https://bugzilla.mozilla.org/show_bug.cgi?id=694536
It's likely that this work will be completed before we need to ship Fedora 19. Once that happens, a workaround at the p11-kit level will become unnecessary.
This can now be fixed by adding a stapled certificate extension. Below is one in the .p11-kit persist format:
label: "Add missing BasicConstraints for Entrust root"
For future reference, the 'id' field is a CKA_ID attribute. Since the entrust certificate is loaded directly from PEM data, it has no CKA_ID, p11-kit trust generates one in the recommended manner by using the SHA-1 hash of the subjectPublicKeyInfo DER contents. So we can use this CKA_ID in the stapled certificate extension to associate this with the certificate and add an extension.
The 'value' field is the raw DER contents of a BasicConstraints that contains CA:TRUE.
Updated .p11-kit file for 0.19.0 and later:
label: "Add missing BasicConstraints for Entrust.net 2048"