Page MenuHome GnuPG
Create Task
Maniphest T5882

Cross signing certificate in X.509 support
Open, NormalPublic
Actions

Description

For the support of cross signing certificates, we need to fix our code for certificate validation in:

  • gpgsm
  • dirmngr (when used with NTBTLS for https)

Sample certificates are available:
https://datatracker.ietf.org/doc/draft-ietf-lamps-samples/

And it is started to be used by Let's Encrypt migration, in September 2021.

https://security.stackexchange.com/questions/14043/what-is-the-use-of-cross-signing-certificates-in-x-509

https://ravendb.net/articles/how-cross-signing-works-with-x509-certificates

Related Objects
Search...

Event Timeline

gniibe triaged this task as Normal priority.Mar 17 2022, 12:45 AM
gniibe created this task.
gniibe added a subtask: T5639: dirmngr uses the wrong Let's encrypt chain.
gniibe added subtasks: T5445: gpgsm fails to find path to valid X.509 root when cross-signed intermediate certificate is present, T2972: GPGSM: Chain too long on cross signed certificate.Mar 17 2022, 12:48 AM
gniibe mentioned this in T5639: dirmngr uses the wrong Let's encrypt chain.Mar 17 2022, 1:15 AM
gniibe added a comment.Mar 28 2022, 8:37 AM

I read OpenSSL implementation.
It does NOT implement backtracking.
In openssl/crypto/x509/x509_vfy.c, it has a function find_issuer which does:

  • exclude a issuer when it's already in ctx->chain (can avoid recursion forever)
  • prefer the first non-expired one, else take the most recently expired one.

This way, we can solve T2972 and T5639. Not sure for T5445.

werner closed subtask T5639: dirmngr uses the wrong Let's encrypt chain as Resolved.Apr 14 2022, 2:00 PM
TheParanoidProgrammer added a subscriber: TheParanoidProgrammer.Apr 14 2022, 2:07 PM
NoSubstitute added a subscriber: NoSubstitute.Apr 30 2022, 3:06 PM
gniibe added a subtask: T6142: On Windows, gpg 2.3.7 thinks the certificates of major keyservers have expired.Aug 26 2022, 7:41 AM

T6142 was solved by rejecting expired root certificate.

gniibe mentioned this in T6142: On Windows, gpg 2.3.7 thinks the certificates of major keyservers have expired.Aug 30 2022, 8:31 AM
werner changed the status of subtask T6142: On Windows, gpg 2.3.7 thinks the certificates of major keyservers have expired from Open to Testing.Sep 22 2022, 10:46 AM
werner closed subtask T6142: On Windows, gpg 2.3.7 thinks the certificates of major keyservers have expired as Resolved.Oct 5 2022, 4:20 PM
NoSubstitute added a comment.Feb 20 2024, 11:58 AM

Is this no longer a problem, and someone just forgot to close the issue, or is it now uncommon enough to keep it low priority?

gniibe added a comment.Feb 21 2024, 1:47 AM

This is a group of tasks of dirmngr and gpgsm.

Cross signing certificate for HTTPS was actually used. For dirmngr (certificate for https), it is solved.

For use cases of gpgsm (S/MIME), it is not common to use cross signing certificates. It is not confirmed if fixes done for dirmngr solved the issues of gpgsm or not.

zablockil mentioned this in T7319: gpgsm/dirmngr: Improve forward path-building via http AIA extension in x.509 certificates.Oct 2 2024, 11:04 PM