Comments (10)
example: use self-signed cert for server-side, and client-side not load root cert which signed the server cert, client-side just use webpki-roots as anchors.
then client-side will nerver can verify the server certificate, and will loop to do build_chain again and again for long long time to end
from webpki.
Which version of webpki
are you using? If 0.22.1, did it work with 0.22.0?
from webpki.
Which version of
webpki
are you using? If 0.22.1, did it work with 0.22.0?
0.22.1
from webpki.
Thanks. What happens if you use 0.22.0?
from webpki.
Thanks. What happens if you use 0.22.0?
it has the same problem
i think the rustls-webpki also has this problem, the verify_cert.rs are same to each other
i test that when given 10 intermidiates certs, the build_chain_inner function will be called 2060312 times and elp 22s to end ,
i guess the time is releative to n! where n is num of intermidiates
from webpki.
the counter signatures
just limit the called times of verify_signed_data, but not limit the total recursion times of call build_chain_inner
from webpki.
I'm not sure whether need to limit the total recursion times, because when given one right chians that has large number of intermidiates certs, although it will take long time to verify, but it will verify successfully finnally
from webpki.
i test that when given 10 intermidiates certs, the build_chain_inner function will be called 2060312 times and elp 22s to end ,
could you clarify exactly what this test case looks like? because trying to reproduce with a ten-deep untrusted chain doesn't do that for me. though i can reproduce this issue with other shapes of chains.
It seems like a mistake to allow the same certificate to appear multiple times in the intermediates list (AFAIK that cannot, by definition, ever make an invalid chain become valid?)
from webpki.
It seems like a mistake to allow the same certificate to appear multiple times in the intermediates list (AFAIK that cannot, by definition, ever make an invalid chain become valid?)
That's right. See https://github.com/nss-dev/nss/blob/bb4a1d38dd9e92923525ac6b5ed0288479f3f3fc/lib/mozpkix/lib/pkixbuild.cpp#L160.
See also buildForwardCallBudget
in the same code base.
from webpki.
i test that when given 10 intermidiates certs, the build_chain_inner function will be called 2060312 times and elp 22s to end ,
could you clarify exactly what this test case looks like? because trying to reproduce with a ten-deep untrusted chain doesn't do that for me. though i can reproduce this issue with other shapes of chains.
see https://github.com/stanal/tlsserver/tree/main
It seems like a mistake to allow the same certificate to appear multiple times in the intermediates list (AFAIK that cannot, by definition, ever make an invalid chain become valid?)
from webpki.
Related Issues (20)
- Version 0.22.0 is not pushed / tagged HOT 4
- Help debugging an UnknownIssuer error in PyOxidizer HOT 2
- Wrong license identification on crates.io breaks guix importer HOT 3
- Make it easy to make test cases for PR authors
- Provide an extensible and usable configuration API HOT 3
- From here forward, use git tags for all releases
- Export fields of `cert::Cert` - get certificate alt names
- Is there a version of webpki that builds with ring version "0.17.0-not-released-yet" HOT 2
- Deviations from RFC5280
- Rustls is unable to handle TLS certificates with IP addresses in SAN DNS names HOT 6
- Would be helpful to have support for unrecognized extensions
- TLS error: webpki error: UnsupportedCriticalExtension HOT 1
- Err(UnknownIssuer) occurred when verifying certificate chain HOT 1
- Handling of certificate revocation lists (CRLs)
- Question about BadDer(DNS name) HOT 2
- v1 Certs not being supported? HOT 1
- Support anyPolicy Certificate Policy
- Archive the repository HOT 2
- Make `TrustAnchor::try_from_cert_der` less of an attractive nuisance HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webpki.