Do CA checks to verify authentication by default #81
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is a follow-up to b665b28. An attacker that is able to login into a token could bypass authentication by using its own certificate with any valid signature. This change makes the default "ca, signature" with the only way to disable CA check by using "no_ca". This, however, also makes the "none" option disabling CRL and OCSP checks only.
Jakuje
reviewed
Feb 24, 2025
| @@ -467,7 +467,7 @@ int verify_certificate(X509 * x509, cert_policy *policy) | |||
| X509_STORE_CTX *ctx = NULL; | |||
|
|
|||
| /* if neither ca nor crl check are requested skip */ | |||
| if ( (policy->ca_policy==0) && (policy->crl_policy==CRLP_NONE) ) { | |||
| if ( (!policy->no_ca_policy==0) && (policy->crl_policy==CRLP_NONE) ) { | |||
There was a problem hiding this comment.
I think it would be more readable to write this as
Suggested change
| if ( (!policy->no_ca_policy==0) && (policy->crl_policy==CRLP_NONE) ) { | |
| if ( (policy->no_ca_policy==1) && (policy->crl_policy==CRLP_NONE) ) { |
| @@ -408,7 +408,7 @@ static X509_STORE * setup_store(cert_policy *policy) { | |||
| } | |||
| } | |||
| /* add needed hash dir pathname entries */ | |||
| if ( (policy->ca_policy) && (is_dir(policy->ca_dir)>0) ) { | |||
| if ( (!policy->no_ca_policy) && (is_dir(policy->ca_dir)>0) ) { | |||
There was a problem hiding this comment.
I think this would be better readable as
Suggested change
| if ( (!policy->no_ca_policy) && (is_dir(policy->ca_dir)>0) ) { | |
| if ( (policy->no_ca_policy==0) && (is_dir(policy->ca_dir)>0) ) { |
(similarly the following change)
| # CRLs | ||
| # "signature" Does a signature check to ensure that private | ||
| # and public key matches | ||
| # "no_signature" The only value that disables signature check |
There was a problem hiding this comment.
This needs to be updated also in the documentation. I initially missed that, but I think the xml source is here:
https://github.com/OpenSC/pam_pkcs11/blob/master/doc/pam_pkcs11.xml#L616
If I see right, the no_signature part is not documented here either.
Having example files as the only documentation is not very good practice.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a follow-up to b665b28.
An attacker that is able to login into a token could bypass authentication by using its own certificate with any valid signature.
This change makes the default "ca, signature" with the only way to disable CA check by using "no_ca".
This, however, also makes the "none" option disabling CRL and OCSP checks only.
Resolves #80