crypto/tls: consider enforcing KU bits on leaf certs #71842
Comments
rolandshoemaker
added
the
NeedsDecision
|
It sounds reasonable to me, but I also wouldn't be surprised to find it breaks oddball certs from outside the webpki (which I assume, is tolerable to some threshold of pain given the overall scope of Would you expect to land the RSA parts behind a FWIW we're also not validating KU in |
|
Related Code Changes
(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.) |
gabyhelp
added
the
LibraryProposal
I expect we'd probably gate the entire KU checking on a GODEBUG (default enabled, but with the ability to turn it off.)
I think it's probably the right thing to do for general usage of X.509, I'm sure there are enough legacy trusted roots that mess this up still (although perhaps worth a ecosystem survey to figure out.) We'd probably want to implement this as crypto/tls specific functionality. |
The crypto/x509 package has historically ignored KU, as CAs were historically terrible at setting it correctly (see https://cs.opensource.google/go/go/+/refs/tags/go1.24.0:src/crypto/x509/verify.go;l=717;drc=468fad45a27db0ec1fff4ae397d3670795b3f977.)
As such crypto/tls also ignores it when checking if the key in the presented leaf certificate is valid for the cipher being used. This means we ignore two things: RSA keys that are marked not to be used for RSA KEXs (lacking the keyAgreement bit) and differentiating ECDH and ECDSA keys (which otherwise have the same encoding).
We should revisit adding support for this. See https://github.com/google/boringssl/blob/main/ssl/handshake_client.cc#L1360-L1376 and https://github.com/google/boringssl/blob/main/ssl/handshake_server.cc#L1517-L1524 for how BoringSSL handles this.
cc @FiloSottile @cpu
The text was updated successfully, but these errors were encountered: