SecurityEngineering/Removing Compatibility Workarounds in mozilla::pkix: Difference between revisions
Jump to navigation
Jump to search
(combine sections, add bugs for empty SEQUENCE and keyUsage) |
(reorganize items into finished, ready, potentially ready, and not ready to be removed) |
||
| Line 1: | Line 1: | ||
In the process of implementing mozilla::pkix, a number of compatibility issues were encountered involving certificates that did not conform to the Baseline Requirements. To maintain interoperability, some workarounds were added to allow these malformed or improper certificates to validate successfully. However, to improve the state of the web PKI, these workarounds will be removed. As of Firefox 49, if a certificate has a notBefore time after 0:00 23 August 2016 and is affected by any of these workarounds (see below), it will not validate successfully. This document will track the implementation work necessary to remove those workarounds. | In the process of implementing mozilla::pkix, a number of compatibility issues were encountered involving certificates that did not conform to the Baseline Requirements. To maintain interoperability, some workarounds were added to allow these malformed or improper certificates to validate successfully. However, to improve the state of the web PKI, these workarounds will be removed. As of Firefox 49, if a certificate has a notBefore time after 0:00 23 August 2016 and is affected by any of these workarounds (see below), it will not validate successfully. This document will track the implementation work necessary to remove those workarounds. | ||
* id-Netscape-stepUp in Extended Key Usage extension instead of id-kp-serverAuth | === Completed === | ||
* use of subject CN for naming information (Firefox 48) | |||
** Workaround introduced in [https://bugzilla.mozilla.org/show_bug.cgi?id=1063281 bug 1063281] | |||
** Workaround removed in [https://bugzilla.mozilla.org/show_bug.cgi?id=1245280 bug 1245280] | |||
* id-Netscape-stepUp in Extended Key Usage extension instead of id-kp-serverAuth (Firefox 49) | |||
** Workaround introduced in [https://bugzilla.mozilla.org/show_bug.cgi?id=1006041 bug 1006041] | ** Workaround introduced in [https://bugzilla.mozilla.org/show_bug.cgi?id=1006041 bug 1006041] | ||
** Workaround | ** Workaround removed in [https://bugzilla.mozilla.org/show_bug.cgi?id=982932 bug 982932] | ||
=== Ready to be Removed === | |||
* DER: pathLenConstraint included when cA:False | * DER: pathLenConstraint included when cA:False | ||
** Workaround introduced in [https://bugzilla.mozilla.org/show_bug.cgi?id=985021 bug 985021] | ** Workaround introduced in [https://bugzilla.mozilla.org/show_bug.cgi?id=985021 bug 985021] | ||
| Line 17: | Line 14: | ||
** Code affected: CheckIssuerIndependentProperties -> CheckBasicConstraints (pkixcheck.cpp) | ** Code affected: CheckIssuerIndependentProperties -> CheckBasicConstraints (pkixcheck.cpp) | ||
** Expected difficulty: easy | ** Expected difficulty: easy | ||
* nameConstraints/subjectAlternativeName encoding mismatches | * nameConstraints/subjectAlternativeName encoding mismatches | ||
** Workaround introduced in [https://bugzilla.mozilla.org/show_bug.cgi?id=1150114 bug 1150114] | ** Workaround introduced in [https://bugzilla.mozilla.org/show_bug.cgi?id=1150114 bug 1150114] | ||
| Line 32: | Line 19: | ||
** Code affected: pkixnames.cpp | ** Code affected: pkixnames.cpp | ||
** Expected difficulty: moderate | ** Expected difficulty: moderate | ||
* keyUsage lacking keyEncipherment for certs with RSA keys | |||
** Workaround introduced in n/a | |||
** Workaround to be removed in [https://bugzilla.mozilla.org/show_bug.cgi?id=970760 bug 970760] | |||
** See also [https://bugzilla.mozilla.org/show_bug.cgi?id=1133562 bug 1133562] | |||
** Code affected: CertVerifier.cpp | |||
** Expected difficulty: moderate | |||
=== Potentially Ready to be Removed === | |||
* empty SEQUENCE in OCSP responses | * empty SEQUENCE in OCSP responses | ||
** Workaround introduced in [https://bugzilla.mozilla.org/show_bug.cgi?id=991898 bug 991898] | ** Workaround introduced in [https://bugzilla.mozilla.org/show_bug.cgi?id=991898 bug 991898] | ||
| Line 37: | Line 31: | ||
** Code affected: pkixocsp.cpp, pkixder.h | ** Code affected: pkixocsp.cpp, pkixder.h | ||
** Expected difficulty: moderate | ** Expected difficulty: moderate | ||
* | === Not Ready to be Removed === | ||
** Workaround introduced in | * DER: default value of OPTIONAL BOOLEAN explicitly encoded | ||
** Workaround to be removed in [https://bugzilla.mozilla.org/show_bug.cgi?id= | ** Workaround introduced in [https://bugzilla.mozilla.org/show_bug.cgi?id=989516 bug 989516] for Basic Constraints (cA field) | ||
** | ** Workaround introduced in [https://bugzilla.mozilla.org/show_bug.cgi?id=1060929 bug 1060929] for Extension (critical field) | ||
** Code affected: | ** Workaround to be removed in [https://bugzilla.mozilla.org/show_bug.cgi?id=989518 bug 989518] | ||
** Code affected: pkixcheck.cpp, pkixder.h, pkixcert.cpp, pkixocsp.cpp | |||
** Expected difficulty: difficult | |||
* Non-PrintableString/UTF8String in DNs | |||
** Workaround introduced in [https://bugzilla.mozilla.org/show_bug.cgi?id=1089104 bug 1089104] | |||
** Workaround to be removed in [https://bugzilla.mozilla.org/show_bug.cgi?id=1256071 bug 1256071] | |||
** Code affected: pkixnames.cpp | |||
** Expected difficulty: moderate | ** Expected difficulty: moderate | ||
Latest revision as of 20:46, 17 May 2016
In the process of implementing mozilla::pkix, a number of compatibility issues were encountered involving certificates that did not conform to the Baseline Requirements. To maintain interoperability, some workarounds were added to allow these malformed or improper certificates to validate successfully. However, to improve the state of the web PKI, these workarounds will be removed. As of Firefox 49, if a certificate has a notBefore time after 0:00 23 August 2016 and is affected by any of these workarounds (see below), it will not validate successfully. This document will track the implementation work necessary to remove those workarounds.
Completed
- use of subject CN for naming information (Firefox 48)
- Workaround introduced in bug 1063281
- Workaround removed in bug 1245280
- id-Netscape-stepUp in Extended Key Usage extension instead of id-kp-serverAuth (Firefox 49)
- Workaround introduced in bug 1006041
- Workaround removed in bug 982932
Ready to be Removed
- DER: pathLenConstraint included when cA:False
- Workaround introduced in bug 985021
- Workaround to be removed in bug 985025
- Code affected: CheckIssuerIndependentProperties -> CheckBasicConstraints (pkixcheck.cpp)
- Expected difficulty: easy
- nameConstraints/subjectAlternativeName encoding mismatches
- Workaround introduced in bug 1150114
- Workaround to be removed in bug 1256073
- Code affected: pkixnames.cpp
- Expected difficulty: moderate
- keyUsage lacking keyEncipherment for certs with RSA keys
- Workaround introduced in n/a
- Workaround to be removed in bug 970760
- See also bug 1133562
- Code affected: CertVerifier.cpp
- Expected difficulty: moderate
Potentially Ready to be Removed
- empty SEQUENCE in OCSP responses
- Workaround introduced in bug 991898
- Workaround to be removed in bug 997994
- Code affected: pkixocsp.cpp, pkixder.h
- Expected difficulty: moderate
Not Ready to be Removed
- DER: default value of OPTIONAL BOOLEAN explicitly encoded
- Workaround introduced in bug 989516 for Basic Constraints (cA field)
- Workaround introduced in bug 1060929 for Extension (critical field)
- Workaround to be removed in bug 989518
- Code affected: pkixcheck.cpp, pkixder.h, pkixcert.cpp, pkixocsp.cpp
- Expected difficulty: difficult
- Non-PrintableString/UTF8String in DNs
- Workaround introduced in bug 1089104
- Workaround to be removed in bug 1256071
- Code affected: pkixnames.cpp
- Expected difficulty: moderate