Overly eager rejection of invalid trust program members?

[woodruffw]

Hi there! I was poking at astral-sh/uv#18890, and added some test cases to x509-limbo to test a theory of mine: C2SP/x509-limbo#585

Based on those results, rustls/webpki is doing something slightly out of alignment with other validators: it looks like you all prematurely reject members of a trust program (OS cert bundle, PEM bundle, whatever else) that don't satisfy your extension validator. By contrast, other validators only reject on chain construction if that invalid/unacceptable trust program member is actually used during construction.

You can see a matrix of behaviors for webpki versus other implementations here:

https://x509-limbo.com/testcases/rfc5280/#rfc5280unknown-critical-extension-unrelated-root

TL;DR is that all others accept a trusted set/trust program where rootB has an unrecognized critical extension, so long as rootB is not ever actually used during path construction.

Expected behavior

I think my expected behavior here is for the webpki crate to behave similarly to OpenSSL and other validators, where trust program members are not eagerly checked for extension validity.

In practice I think this is a non-issue for the Web PKI, it appears to mostly snare corporate users who have a single PEM bundle for all of their corporate stuff, including CA certificates that contain critical Certificate Policies and other troublesome extensions. See astral-sh/uv#18890 (comment) for an example of that.

[woodruffw]

(Sorry, I prematurely hit "send" on that issue. Editing it in real time with more info...)

[cpu]

I opened C2SP/x509-limbo#586 before seeing this. I think it could be viewed as issue in the test harness?

[woodruffw]

Looking now! Sorry for the crossed wires 😅

[cpu]

No worries, I think it's worth discussing whether it makes sense for the trust anchor extraction to error in this case separate from whether the harness early exits on those errors or not.

[ctz]

Interesting philosophical question here -- whether ignoring critical extensions on a trust-anchor-presented-as-certificate is good or not, given:

• critical extensions mean rejecting the input if the extension "contains information that [a certificate-using system] cannot process" (sec 4.2)
• no extensions are specified as being used in this scope (see RFC5280 6.1.1 item (d)), so none are processed.

On the other hand:

• probably the trust-anchor-as-certificate path is already trusted, so the intended function of applying an interlock for new security controls in an extension is not really relevant.
• webpki already does actually process extensions in this context, in order to apply name constraints from the anchor upwards. That's either silly, or essential but completely omitted from RFC5280's model of trust anchors.

[woodruffw]

Yeah, this is a really messy part of X.509's theory of trust 😅 -- what PyCA Cryptography does here is consider any well-formed X.509 envelope as valid for trust program inclusion, and then we incrementally validate extensions (based on our interpretation of RFC 5280 / CABF) as needed when a given chain candidate requests a given trust program member. I have basically zero confidence that this is "correct" in an abstract sense, however.

[zanieb]

In reply to C2SP/x509-limbo#586 (review), if this doesn't change in webpki I think we'd want to advocate for reqwest do something like change Certificate::add_to_rustls to use RootCertStore::add_parsable_certificates in order to resolve this downstream in uv — otherwise we're forced to filter the certificates ourselves ahead of time which is a bit awkward (and means all the certificates are parsed twice in the happy path).

[djc]

In reply to C2SP/x509-limbo#586 (review), if this doesn't change in webpki I think we'd want to advocate for reqwest do something like change Certificate::add_to_rustls to use RootCertStore::add_parsable_certificates in order to resolve this downstream in uv — otherwise we're forced to filter the certificates ourselves ahead of time which is a bit awkward (and means all the certificates are parsed twice in the happy path).

cc @seanmonstar

This stuff is tricky because it probably makes sense to ignore errors from parsing trust anchor DER/PEM if only a few out of the system-provided set of trust anchors are affected, but if a reqwest API user provides a DER/PEM certificate directly you should propagate the error to them -- in other words, the logic should perhaps be different for the system-provided trust set vs user-provided anchors. It's not quite obvious to me whether that aligns with what reqwest implements today.

[djc]

I've drafted a potential way forward to allow unknown critical extensions only when creating a TrustAnchor from DER:

• Allow parsing trust anchors with unknown critical extensions #465

I guess this would probably not be too hard to backport to 0.103.x if it gets accepted.

[djc]

This is now available in 0.103.11.

[woodruffw]

Thanks a ton @djc!