Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Libp2p TLS spec does not adhere to RFC 5280 for issuer and subject fields #635

Open
diegomrsantos opened this issue Sep 26, 2024 · 3 comments
Open

Libp2p TLS spec does not adhere to RFC 5280 for issuer and subject fields #635

diegomrsantos opened this issue Sep 26, 2024 · 3 comments

Comments

@diegomrsantos
Copy link

diegomrsantos commented Sep 26, 2024
edited
Loading

Description

The current libp2p TLS specification does not require the issuer and subject fields in the X.509 certificates, which is a requirement according to RFC 5280. Specifically, the spec mentions that the certificate MUST omit the deprecated subjectUniqueId and issuerUniqueId fields, but does not address the necessity for the issuer and subject fields.

RFC 5280, Section 4.1.2.4 and 4.1.2.6 specify that:

  • The issuer field MUST be present and MUST contain a non-empty distinguished name (DN).
  • The subject field MUST be present and MUST contain a non-empty DN.

Additionally, this discrepancy causes issues when using parser libraries that strictly follow RFC 5280. For example, it's not possible to parse the certificate 3082018230820128a003020102020900f3b305f55622cfdf300a06082a8648ce3d04030230003020170d3735303130313030303030305a180f34303936303130313030303030305a30003059301306072a8648ce3d020106082a8648ce3d0301070342000458f7e9581748ff9bdd933b655cc0e5552a1248f840658cc221dec2186b5a2fe4641b86ab7590a3422cdbb1000cf97662f27e5910d7569f22feed8829c8b52e0fa38188308185308182060a2b0601040183a25a01010101ff0471306f042508021221026b053094d1112bce799dc8026040ae6d4eb574157929f1598172061f753d9b1b04463044022040712707e97794c478d93989aaa28ae1f71c03af524a8a4bd2d98424948a782302207b61b7f074b696a25fb9e0059141a811cccc4cc28042d9301b9b2a4015e87470300a06082a8648ce3d04030203480030450220143ae4d86fdc8675d2480bb6912eca5e39165df7f572d836aa2f2d6acfab13f8022100831d1979a98f0c4a6fb5069ca374de92f1a1205c962a6d90ad3d7554cb7d9df4 defined in the tests using such a library.

Steps to Reproduce

Expected Behavior

The libp2p TLS spec should require the issuer and subject fields to be present and contain non-empty DNs, in compliance with RFC 5280.

Suggested Solutions

  • Update the libp2p TLS spec to require issuer and subject fields.
  • Provide guidance on how to populate these fields in the context of libp2p.

Additional Information

RFC 5280 - Section 4.1.2.4
RFC 5280 - Section 4.1.2.6
@diegomrsantos
Copy link
Author

@marten-seemann your input here would be highly appreciated.

@MarcoPolo
Copy link
Contributor

Does your testing library fail with certificates generated by go-libp2p? I think we fixed this a while ago: libp2p/go-libp2p-tls#100

@diegomrsantos
Copy link
Author

I didn't generate certificates using go-libp2p. I tried using the test vectors defined here and they seem the same as in the spec, thus they also fail to parse.

@diegomrsantos diegomrsantos mentioned this issue Oct 17, 2024
Open
12 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
libp2p Specs
Status: Triage
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MarcoPolo @diegomrsantos