Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Please correct the IsTechnicallyConstrained logic in the certificate tool #432

Open
WilsonKathleen opened this issue Jun 15, 2022 · 0 comments

Comments

@WilsonKathleen
Copy link

WilsonKathleen commented Jun 15, 2022

The TLS Observatory certificate tool is not giving the correct IsTechnicallyConstrained result for some certificates. For example, when a certificate only has 1.3.6.1.4.1.311.10.3.12 in the EKU, the tool should return true in IsTechnicallyConstrained.

The logic for IsTechnicallyConstrained should match the policy here:
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#531-technically-constrained

To summarize the logic that should be in the code...

  1. IsTechnicallyConstrained is false when the certificate does not contain the EKU extension.

  2. IsTechnicallyConstrained is false when the EKU extension contains the anyExtendedKeyUsage KeyPurposeId (2.5.29.37.0. 2)

  3. IsTechnicallyConstrained is true when the EKU extension is present and does NOT contain either the id-kp-serverAuth KeyPurposeId (1.3.6.1.5.5.7.3.1) or the id-kp-emailProtection KeyPurposeId (1.3.6.1.5.5.7.3.4).

  4. If the EKU includes the id-kp-serverAuth KeyPurposeId, then IsTechnicallyConstrained can only be true if there is at least one dNSName, iPAddress range or DirectoryName in permittedSubtrees in the Name Constraints extension. (for details see section 7.1.5 of https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.8.4.pdf)

  5. If the EKU includes the the id-kp-emailProtection KeyPurposeId, then IsTechnicallyConstrained can only be true if the Name Constraints extension has constraints on rfc822Name with at least one name in permittedSubtrees.

Background:

This issue is in regards to:
https://tls-observatory.services.mozilla.com/api/v1/certificate
We use this tool to add certificates to the Common CA Database (CCADB).

Example:
curl -X POST -F certificate=@SECOMpassportPlusCA1G1.pem https://tls-observatory.services.mozilla.com/api/v1/certificate

In this example, SECOMpassportPlusCA1G1.pem is the PEM for the “SECOM Passport Plus CA1 G1” certificate, e.g.
https://crt.sh/?d=6670931376

The result has
"mozillaPolicyV2_5":{"IsTechnicallyConstrained":false}}
But it should be true.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant