-
Notifications
You must be signed in to change notification settings - Fork 166
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
verify cert run long time when given one faked cert with large intermediate_certs that can't be verified by any anchors #276
Comments
example: use self-signed cert for server-side, and client-side not load root cert which signed the server cert, client-side just use webpki-roots as anchors. |
Which version of |
0.22.1 |
Thanks. What happens if you use 0.22.0? |
it has the same problem |
the counter |
I'm not sure whether need to limit the total recursion times, because when given one right chians that has large number of intermidiates certs, although it will take long time to verify, but it will verify successfully finnally |
could you clarify exactly what this test case looks like? because trying to reproduce with a ten-deep untrusted chain doesn't do that for me. though i can reproduce this issue with other shapes of chains. It seems like a mistake to allow the same certificate to appear multiple times in the intermediates list (AFAIK that cannot, by definition, ever make an invalid chain become valid?) |
That's right. See https://github.com/nss-dev/nss/blob/bb4a1d38dd9e92923525ac6b5ed0288479f3f3fc/lib/mozpkix/lib/pkixbuild.cpp#L160. See also |
see https://github.com/stanal/tlsserver/tree/main
|
This is intended to be complementary to the signature validation limit fix and addresses briansmith#276 in the same manner as NSS libmozpkix.
This is intended to be complementary to the signature validation limit fix and addresses briansmith#276 in the same manner as NSS libmozpkix.
This is intended to be complementary to the signature validation limit fix and addresses briansmith#276 in the same manner as NSS libmozpkix.
This is intended to be complementary to the signature validation limit fix and addresses briansmith#276 in the same manner as NSS libmozpkix.
This is intended to be complementary to the signature validation limit fix and addresses briansmith#276 in the same manner as NSS libmozpkix.
This is intended to be complementary to the signature validation limit fix and addresses briansmith#276 in the same manner as NSS libmozpkix.
This is intended to be complementary to the signature validation limit fix and addresses briansmith#276 in the same manner as NSS libmozpkix.
This is intended to be complementary to the signature validation limit fix and addresses briansmith#276 in the same manner as NSS libmozpkix.
This is intended to be complementary to the signature validation limit fix and addresses #276 in the same manner as NSS libmozpkix.
give one cert that can't be verified by any ca in all anchors, the check_signatures can nerver be called
the verify logical will take long time to ended (may be expotent or quradic time)
`
`
The text was updated successfully, but these errors were encountered: