[cabfpub] Mozilla SHA-1 further restrictions

Gervase Markham gerv at mozilla.org
Fri Nov 18 13:56:42 UTC 2016


On 17/11/16 18:41, Erwann Abalea wrote:
> Another valid chain:
> RootCA (subject: "C=UT, O=PerfectCA, CN=Root")
>   -> OnlineCA (subject: "C=UT, O=PerfectCA, CN=Online", pathLen=0)
>     -> OnlineCA (subject: "C=UT, O=PerfectCA, CN=Online", pathLen=0) <= this is the self-issued cert, same name
>       -> EE
> 
> Having a pathLen=0 doesn’t forbid you from creating a CA
> certificate, it only forbids you from creating a CA certificate
> for a different CA. This is defined in X.509 and repeated in RFC5280.
> This behaviour is supported by OpenSSL, probably by Microsoft
> (haven’t checked), I guess by Mozilla libPKIX but not Mozilla::pkix
> (just quickly read the source).

Well, %$£&*.

So an attacker can effectively leverage a SHA-1 collision into a cert
which is equivalent to the issuing intermediate but for which they
control the private key?

Gerv



More information about the Public mailing list