Accept only digital signature key usage for RCS-MLS The leaf is only supposed to have one bit set, and it must be Digital Signature Bug: 394613330 Change-Id: Iefef4cbf7301f72ac2e797c9a65ff3046be39b92 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/77309 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: Bob Beck <bbe@google.com>
diff --git a/pki/common_cert_errors.cc b/pki/common_cert_errors.cc index af36eca..edf7daf 100644 --- a/pki/common_cert_errors.cc +++ b/pki/common_cert_errors.cc
@@ -30,6 +30,9 @@ DEFINE_CERT_ERROR_ID(kUnconsumedCriticalExtension, "Unconsumed critical extension"); DEFINE_CERT_ERROR_ID(kKeyCertSignBitNotSet, "keyCertSign bit is not set"); +DEFINE_CERT_ERROR_ID(kKeyUsageIncorrectForRcsMlsClient, + "KeyUsage must have only the digitalSignature bit set for " + "rcsMlsClient auth"); DEFINE_CERT_ERROR_ID(kMaxPathLengthViolated, "max_path_length reached"); DEFINE_CERT_ERROR_ID(kBasicConstraintsIndicatesNotCa, "Basic Constraints indicates not a CA");
diff --git a/pki/common_cert_errors.h b/pki/common_cert_errors.h index 5b7a871..f8db8df 100644 --- a/pki/common_cert_errors.h +++ b/pki/common_cert_errors.h
@@ -58,6 +58,10 @@ // keyCertSign KeyUsage was not set. OPENSSL_EXPORT extern const CertErrorId kKeyCertSignBitNotSet; +// The certificate is being used for RCS MLS but the required digitalSignature +// bit was either not set, or was not the only bit set. +OPENSSL_EXPORT extern const CertErrorId kKeyUsageIncorrectForRcsMlsClient; + // The chain violates the max_path_length from BasicConstraints. OPENSSL_EXPORT extern const CertErrorId kMaxPathLengthViolated;
diff --git a/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-mlsclientauth-extra/chain.pem b/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-mlsclientauth-extra/chain.pem index 1a7bdf8..fcbc08e 100644 --- a/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-mlsclientauth-extra/chain.pem +++ b/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-mlsclientauth-extra/chain.pem
@@ -1,13 +1,13 @@ -----BEGIN CERTIFICATE----- -MIIBkDCCATagAwIBAgIBAzAKBggqhkjOPQQDAjAgMR4wHAYDVQQDExVNTFMgQ2Vy +MIIBjDCCATOgAwIBAgIBAzAKBggqhkjOPQQDAjAgMR4wHAYDVQQDExVNTFMgQ2Vy dCBJbnRlcm1lZGlhdGUwIhgPMDAwMDAxMDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1 OVowGDEWMBQGA1UEAxMNTUxTIENlcnQgTGVhZjBZMBMGByqGSM49AgEGCCqGSM49 AwEHA0IABJEq2LxVbZGSZr4q32NCQw2K2UKzSXnDy7dJLCbsdlES+ZwEIkGNUhER -pxGojS6aHNHZXk0vMEE/3I8P8D4KHlejZTBjMA4GA1UdDwEB/wQEAwIHgDAMBgNV -HRMBAf8EAjAAMA0GA1UdDgQGBARsZWFmMBcGA1UdIwQQMA6ADGludGVybWVkaWF0 -ZTAbBgNVHSUEFDASBgZngRICAQMGCCsGAQUFBwMCMAoGCCqGSM49BAMCA0gAMEUC -ICZ2aFiHqdwrk44duDdK3KB/j3o2KNsILy0kSrOL85x9AiEA19Xas5gJfMK02neq -UCzUZsXgFZDdfQdg05qikpSox1o= +pxGojS6aHNHZXk0vMEE/3I8P8D4KHlejYjBgMA4GA1UdDwEB/wQEAwIFoDAYBgNV +HSUEETAPBgZngRICAQMGBWeBBQgBMAwGA1UdEwEB/wQCMAAwDQYDVR0OBAYEBGxl +YWYwFwYDVR0jBBAwDoAMaW50ZXJtZWRpYXRlMAoGCCqGSM49BAMCA0cAMEQCIBPZ +e8YKCfB9njvqxscvNyXD9x+9oZvwGZ+yiudo1WFWAiB395X3vB8qc9sxVmuWMM8d +kHjKKyiamynH40DPyKgvjw== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIBkzCCATmgAwIBAgIBAjAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1NTFMgQ2Vy
diff --git a/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-mlsclientauth-extra/mlsclientauth.test b/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-mlsclientauth-extra/mlsclientauth.test index 82d223f..db097f6 100644 --- a/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-mlsclientauth-extra/mlsclientauth.test +++ b/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-mlsclientauth-extra/mlsclientauth.test
@@ -4,6 +4,7 @@ key_purpose: MLS_CLIENT_AUTH expected_errors: ----- Certificate i=0 (CN=MLS Cert Leaf) ----- +ERROR: KeyUsage must have only the digitalSignature bit set for rcsMlsClient auth ERROR: The extended key usage does not contain only the rcsMlsClient key purpose. ----- Certificate i=1 (CN=MLS Cert Intermediate) -----
diff --git a/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-mlsclientauth/make-mls-extensions.go b/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-mlsclientauth/make-mls-extensions.go index 3d9f65a..2b73624 100644 --- a/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-mlsclientauth/make-mls-extensions.go +++ b/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-mlsclientauth/make-mls-extensions.go
@@ -125,6 +125,7 @@ leafInvalid := leaf leafInvalid.template.UnknownExtKeyUsage = []asn1.ObjectIdentifier{[]int{2, 23, 146, 2, 1, 3}, []int{2, 23, 133, 8, 1}} + leafInvalid.template.KeyUsage |= x509.KeyUsageKeyEncipherment mustGenerateCertificate("mls_client_leaf_extra_eku.pem", &leafInvalid, &intermediateInvalid) }
diff --git a/pki/testdata/verify_certificate_chain_unittest/target-eku-any/mlsclientauth.test b/pki/testdata/verify_certificate_chain_unittest/target-eku-any/mlsclientauth.test index 57f822e..8ce80de 100644 --- a/pki/testdata/verify_certificate_chain_unittest/target-eku-any/mlsclientauth.test +++ b/pki/testdata/verify_certificate_chain_unittest/target-eku-any/mlsclientauth.test
@@ -4,6 +4,7 @@ key_purpose: MLS_CLIENT_AUTH expected_errors: ----- Certificate i=0 (CN=Target) ----- +ERROR: KeyUsage must have only the digitalSignature bit set for rcsMlsClient auth ERROR: The extended key usage does not contain only the rcsMlsClient key purpose. ----- Certificate i=1 (CN=Intermediate) -----
diff --git a/pki/testdata/verify_certificate_chain_unittest/target-eku-many/mlsclientauth.test b/pki/testdata/verify_certificate_chain_unittest/target-eku-many/mlsclientauth.test index 57f822e..8ce80de 100644 --- a/pki/testdata/verify_certificate_chain_unittest/target-eku-many/mlsclientauth.test +++ b/pki/testdata/verify_certificate_chain_unittest/target-eku-many/mlsclientauth.test
@@ -4,6 +4,7 @@ key_purpose: MLS_CLIENT_AUTH expected_errors: ----- Certificate i=0 (CN=Target) ----- +ERROR: KeyUsage must have only the digitalSignature bit set for rcsMlsClient auth ERROR: The extended key usage does not contain only the rcsMlsClient key purpose. ----- Certificate i=1 (CN=Intermediate) -----
diff --git a/pki/testdata/verify_certificate_chain_unittest/target-eku-none/mlsclientauth.test b/pki/testdata/verify_certificate_chain_unittest/target-eku-none/mlsclientauth.test index 52d1446..c34bd13 100644 --- a/pki/testdata/verify_certificate_chain_unittest/target-eku-none/mlsclientauth.test +++ b/pki/testdata/verify_certificate_chain_unittest/target-eku-none/mlsclientauth.test
@@ -4,6 +4,7 @@ key_purpose: MLS_CLIENT_AUTH expected_errors: ----- Certificate i=0 (CN=Target) ----- +ERROR: KeyUsage must have only the digitalSignature bit set for rcsMlsClient auth ERROR: Certificate does not have extended key usage ----- Certificate i=1 (CN=Intermediate) -----
diff --git a/pki/verify_certificate_chain.cc b/pki/verify_certificate_chain.cc index 219273f..0e45373 100644 --- a/pki/verify_certificate_chain.cc +++ b/pki/verify_certificate_chain.cc
@@ -246,6 +246,17 @@ } if (required_key_purpose == KeyPurpose::RCS_MLS_CLIENT_AUTH) { + // Enforce the key usage restriction for a leaf from section A.3.8.3 here + // as well. + if (is_target_cert && + (!cert.has_key_usage() || + // This works to enforce that digital signature is the only bit because + // digital signature is bit 0. + !cert.key_usage().AssertsBit(KEY_USAGE_BIT_DIGITAL_SIGNATURE) || + cert.key_usage().bytes().size() != 1 || + cert.key_usage().unused_bits() != 7)) { + errors->AddError(cert_errors::kKeyUsageIncorrectForRcsMlsClient); + } // Rules for MLS client auth. For the leaf and all intermediates, EKU must // be present and have exactly one EKU which is rcsMlsClient. if (!cert.has_extended_key_usage()) {