Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

"Certificate extension has incorrect criticality" error when verifying X.509 certificate used for timestamping #12124

Open
kislyuk opened this issue Dec 8, 2024 · 7 comments

Comments

@kislyuk
Copy link

kislyuk commented Dec 8, 2024

I am trying to use Cryptography to verify X.509 certificates used for TSP (RFC 3161) timestamping. This functionality is now particularly in demand since access to the OpenSSL verification routines has been removed from pyOpenSSL.

The following certificate is distributed by DigiCert with TSP signatures:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0b:ae:66:bc:5a:ba:7f:95:87:c6:f9:e9:04:e3:33:04
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
        Validity
            Not Before: Sep 26 00:00:00 2024 GMT
            Not After : Nov 25 23:59:59 2035 GMT
        Subject: C=US, O=DigiCert, CN=DigiCert Timestamp 2024
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:be:6a:73:9f:f6:95:21:ab:96:30:ba:5b:6d:e6:
                    59:a3:b5:e8:fd:91:1f:18:c4:88:3b:6a:99:e3:a5:
                    c1:fd:0a:30:20:43:12:be:08:c4:74:46:77:bf:8b:
                    eb:ad:31:e5:79:6d:49:58:61:2b:ae:33:8b:d0:9e:
                    0b:d0:7a:95:47:57:33:4b:3b:d4:43:9c:45:ef:3e:
                    08:42:69:fb:74:76:3b:ca:28:ef:a1:0e:ee:8e:6d:
                    2e:eb:25:c5:da:fd:42:af:36:68:a7:29:03:d3:bf:
                    fd:7e:90:13:e0:1c:69:4f:db:c9:a0:9a:80:b0:ff:
                    18:ba:14:6f:7e:52:7d:61:e1:e3:7a:ce:1f:76:e9:
                    2c:4c:7b:a5:9e:da:bd:59:e9:51:59:8f:be:4c:53:
                    f1:cd:9a:db:20:b4:58:ca:7c:84:cb:ba:d2:d6:51:
                    d0:28:5a:57:be:8d:86:78:f7:ec:31:18:4d:7f:51:
                    78:d6:7c:84:83:98:7b:88:e5:ef:fa:f8:d7:d0:af:
                    11:85:48:ac:7e:ac:37:4d:32:c7:8f:5b:a1:4b:ae:
                    98:5f:62:d9:3f:14:b8:a1:a7:f7:de:ba:7d:1e:57:
                    ea:48:17:8f:7a:39:58:78:47:54:ef:8d:06:29:03:
                    3b:49:a5:52:1f:74:db:04:bf:11:e8:7c:17:f5:05:
                    69:1a:75:cf:94:a7:44:e1:f0:48:9f:90:41:16:75:
                    7e:2b:03:f1:44:d5:0d:2b:a9:58:93:6c:b5:59:22:
                    a8:ba:be:21:24:dd:12:32:4a:1a:35:5f:21:cb:20:
                    03:89:7d:71:b9:3c:4a:69:73:75:d8:78:11:fb:c5:
                    ae:95:4d:9d:eb:38:73:5e:89:89:d8:f9:5e:23:d5:
                    76:c9:f9:9f:5d:23:c6:61:a9:c6:83:1c:ea:23:e4:
                    a1:a0:e1:8b:a2:63:1d:de:62:6d:f7:69:e6:ec:c8:
                    5e:9e:0f:d3:05:e4:80:db:3e:08:ef:c2:69:c0:6a:
                    53:44:78:93:ef:21:ea:06:25:76:9e:05:08:c8:2b:
                    5d:d2:96:7c:ce:0d:d2:ed:b9:38:40:2e:11:ad:c9:
                    ca:27:71:5b:8f:23:c0:1a:88:26:a2:26:77:dd:cd:
                    47:1b:dd:d5:a7:a9:49:e3:5e:44:45:c0:bb:6c:54:
                    0c:45:bc:6a:ac:c5:40:36:26:af:d6:4e:36:e7:36:
                    32:14:cc:8b:37:21:35:42:e9:50:4a:00:e9:5b:da:
                    ed:bd:57:08:1f:b5:af:1b:db:2a:62:ea:7d:8f:cc:
                    fd:27:55:ea:6c:16:4f:27:95:cb:96:7f:26:4b:cc:
                    16:99:d0:cb:9c:11:d7:81:89:72:fe:9d:43:86:84:
                    28:e5:f9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage: critical
                Time Stamping
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.4.2
                Policy: 2.16.840.1.114412.7.1
            X509v3 Authority Key Identifier: 
                BA:16:D9:6D:4D:85:2F:73:29:76:9A:2F:75:8C:6A:20:8F:9E:C8:6F
            X509v3 Subject Key Identifier: 
                9F:57:2C:03:77:0E:28:15:90:66:A5:63:5E:EE:4F:92:1F:76:A0:5B
            X509v3 CRL Distribution Points: 
                Full Name:
                  URI:http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl
            Authority Information Access: 
                OCSP - URI:http://ocsp.digicert.com
                CA Issuers - URI:http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        3d:ad:1e:1f:76:99:5b:e3:38:84:12:47:d9:43:91:f6:11:db:
        9b:4e:08:1d:d1:28:4f:cf:d3:dc:7b:81:4b:26:5e:ab:78:d2:
        8b:91:97:79:63:fb:c4:22:a1:56:2a:de:28:29:c2:b3:ef:06:
        66:5d:ae:55:81:6f:41:ef:a9:3d:34:9c:54:97:82:65:2b:0c:
        a3:52:42:a1:93:76:98:c7:b0:fc:be:2d:a6:a5:4d:6d:2a:56:
        3b:d4:06:17:07:cc:13:2e:b4:1e:87:cd:e9:5e:75:b0:c2:cc:
        5c:d4:cb:7e:15:6a:b3:e7:bc:85:ab:a9:5a:20:2b:4a:8c:f2:
        02:61:87:ff:aa:0c:40:08:74:ef:ca:91:87:ac:2f:24:d5:3a:
        82:78:79:3a:bb:82:3f:54:14:02:f5:52:bb:89:2a:54:e7:09:
        56:8c:d9:47:94:51:6f:fc:cf:77:ef:8f:18:4d:ea:17:53:f7:
        c5:6b:d8:56:25:09:2e:cc:6d:be:07:bf:9b:30:3b:e6:80:5f:
        15:94:9b:75:a9:07:25:ed:81:54:31:88:19:53:55:8c:ea:7c:
        b0:db:7b:d3:e9:04:a0:c1:7e:4f:ab:69:b4:c5:0d:95:e8:52:
        47:bb:cc:f8:2d:77:bf:df:bd:64:e5:0a:cd:f4:54:01:84:b2:
        c8:49:98:b6:c9:e9:96:d0:ff:19:65:fc:78:ce:f4:96:cd:55:
        e9:01:bf:64:e0:7a:6f:a6:2e:9b:51:ef:22:2b:a5:a8:9d:44:
        95:eb:23:e5:33:07:ab:c0:96:4f:fc:6b:5b:bb:70:8a:95:d3:
        27:9f:e2:e6:99:14:e4:4d:7a:45:20:40:74:ea:75:d9:ac:3c:
        21:08:61:03:fb:c4:6c:59:04:88:5d:9a:6e:1b:85:8b:15:03:
        a1:b6:5a:03:45:61:a8:0b:0c:1c:e9:9a:4f:75:d3:85:90:cd:
        8b:95:36:cc:72:a1:52:ce:6e:1c:77:46:e8:1a:10:6a:ee:f9:
        2a:23:5b:87:47:3e:85:ab:52:17:ed:36:91:42:e4:7e:d0:11:
        8e:cc:84:a4:72:ac:17:bb:b9:cc:a4:5b:b7:9a:0a:e5:81:b0:
        16:f8:1c:e2:91:15:50:dc:ad:98:1d:c1:a4:88:a8:c0:e2:08:
        b8:38:0f:e4:cf:56:02:b1:d8:48:04:75:ea:07:34:74:fd:97:
        76:43:04:3f:97:81:b1:7e:db:7f:f3:06:37:82:b7:1c:fe:74:
        bf:fd:35:64:7a:3f:67:99:46:2e:f3:70:43:b5:c7:07:1d:72:
        a2:6c:cb:3f:c9:71:e1:0d:73:64:a0:f2:1d:ca:78:55:02:4b:
        bb:69:16:4e:c2:ac:3a:a4
-----BEGIN CERTIFICATE-----
MIIGvDCCBKSgAwIBAgIQC65mvFq6f5WHxvnpBOMzBDANBgkqhkiG9w0BAQsFADBj
MQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xOzA5BgNVBAMT
MkRpZ2lDZXJ0IFRydXN0ZWQgRzQgUlNBNDA5NiBTSEEyNTYgVGltZVN0YW1waW5n
IENBMB4XDTI0MDkyNjAwMDAwMFoXDTM1MTEyNTIzNTk1OVowQjELMAkGA1UEBhMC
VVMxETAPBgNVBAoTCERpZ2lDZXJ0MSAwHgYDVQQDExdEaWdpQ2VydCBUaW1lc3Rh
bXAgMjAyNDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL5qc5/2lSGr
ljC6W23mWaO16P2RHxjEiDtqmeOlwf0KMCBDEr4IxHRGd7+L660x5XltSVhhK64z
i9CeC9B6lUdXM0s71EOcRe8+CEJp+3R2O8oo76EO7o5tLuslxdr9Qq82aKcpA9O/
/X6QE+AcaU/byaCagLD/GLoUb35SfWHh43rOH3bpLEx7pZ7avVnpUVmPvkxT8c2a
2yC0WMp8hMu60tZR0ChaV76Nhnj37DEYTX9ReNZ8hIOYe4jl7/r419CvEYVIrH6s
N00yx49boUuumF9i2T8UuKGn9966fR5X6kgXj3o5WHhHVO+NBikDO0mlUh902wS/
Eeh8F/UFaRp1z5SnROHwSJ+QQRZ1fisD8UTVDSupWJNstVkiqLq+ISTdEjJKGjVf
IcsgA4l9cbk8Smlzddh4EfvFrpVNnes4c16Jidj5XiPVdsn5n10jxmGpxoMc6iPk
oaDhi6JjHd5ibfdp5uzIXp4P0wXkgNs+CO/CacBqU0R4k+8h6gYldp4FCMgrXdKW
fM4N0u25OEAuEa3JyidxW48jwBqIJqImd93NRxvd1aepSeNeREXAu2xUDEW8aqzF
QDYmr9ZONuc2MhTMizchNULpUEoA6Vva7b1XCB+1rxvbKmLqfY/M/SdV6mwWTyeV
y5Z/JkvMFpnQy5wR14GJcv6dQ4aEKOX5AgMBAAGjggGLMIIBhzAOBgNVHQ8BAf8E
BAMCB4AwDAYDVR0TAQH/BAIwADAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCDAgBgNV
HSAEGTAXMAgGBmeBDAEEAjALBglghkgBhv1sBwEwHwYDVR0jBBgwFoAUuhbZbU2F
L3MpdpovdYxqII+eyG8wHQYDVR0OBBYEFJ9XLAN3DigVkGalY17uT5IfdqBbMFoG
A1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2Vy
dFRydXN0ZWRHNFJTQTQwOTZTSEEyNTZUaW1lU3RhbXBpbmdDQS5jcmwwgZAGCCsG
AQUFBwEBBIGDMIGAMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5j
b20wWAYIKwYBBQUHMAKGTGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdp
Q2VydFRydXN0ZWRHNFJTQTQwOTZTSEEyNTZUaW1lU3RhbXBpbmdDQS5jcnQwDQYJ
KoZIhvcNAQELBQADggIBAD2tHh92mVvjOIQSR9lDkfYR25tOCB3RKE/P09x7gUsm
Xqt40ouRl3lj+8QioVYq3igpwrPvBmZdrlWBb0HvqT00nFSXgmUrDKNSQqGTdpjH
sPy+LaalTW0qVjvUBhcHzBMutB6HzeledbDCzFzUy34VarPnvIWrqVogK0qM8gJh
h/+qDEAIdO/KkYesLyTVOoJ4eTq7gj9UFAL1UruJKlTnCVaM2UeUUW/8z3fvjxhN
6hdT98Vr2FYlCS7Mbb4Hv5swO+aAXxWUm3WpByXtgVQxiBlTVYzqfLDbe9PpBKDB
fk+rabTFDZXoUke7zPgtd7/fvWTlCs30VAGEsshJmLbJ6ZbQ/xll/HjO9JbNVekB
v2Tgem+mLptR7yIrpaidRJXrI+UzB6vAlk/8a1u7cIqV0yef4uaZFORNekUgQHTq
ddmsPCEIYQP7xGxZBIhdmm4bhYsVA6G2WgNFYagLDBzpmk9104WQzYuVNsxyoVLO
bhx3RugaEGru+SojW4dHPoWrUhftNpFC5H7QEY7MhKRyrBe7ucykW7eaCuWBsBb4
HOKRFVDcrZgdwaSIqMDiCLg4D+TPVgKx2EgEdeoHNHT9l3ZDBD+XgbF+23/zBjeC
txz+dL/9NWR6P2eZRi7zcEO1xwcdcqJsyz/JceENc2Sg8h3KeFUCS7tpFk7CrDqk
-----END CERTIFICATE-----

When attempting to verify this cert with Cryptography, I always get the following error:

cryptography.hazmat.bindings._rust.x509.VerificationError: validation failed: invalid extension: 2.5.29.37: Certificate extension has incorrect criticality (encountered processing <Certificate(subject=<Name(C=US,O=DigiCert,CN=DigiCert Timestamp 2024)>, ...)>)

How can I use Cryptography to verify TSP certificates?

@alex
Copy link
Member

alex commented Dec 9, 2024

The current behavior comes from the CABF requirement (https://cabforum.org/working-groups/server/baseline-requirements/documents/CA-Browser-Forum-TLS-BR-2.1.1.pdf) which is the primary profile we have implemented.

@woodruffw what do you think -- should we loosen the default handling, or is this better handled by #11800?

@woodruffw
Copy link
Contributor

woodruffw commented Dec 9, 2024

@woodruffw what do you think -- should we loosen the default handling, or is this better handled by #11800?

Hmm, I think this could go either way: based on the x509-limbo results, checking for a non-critical EKU is not widely done. So IMO there would be no harm in relaxing this criticality check.

More generally however, I'd be surprised if the current validator APIs work at all with RFC 3161 certs -- this is likely just the first thing to fail. Validating TSRs more generally will probably fail, since a lot of TSAs have wildly non-compliant X.509 setups 🙂

@kislyuk you might want to check out https://github.com/trailofbits/rfc3161-client -- that's a full-fledged RFC 3161 client implementation, including TSR validation. It uses the PyCA Cryptography Rust APIs under the hood, although it currently still depends on OpenSSL (via Rust bindings) for the chain building part because of the path validation API limitations mentioned above.

@alex
Copy link
Member

alex commented Dec 9, 2024 via email

@kislyuk
Copy link
Author

kislyuk commented Dec 9, 2024

Thanks, where can I find more details on the profiles API?

@woodruffw thanks for the link to the Trail of Bits RFC3161 client, that looks very relevant. It does carry the warning "This project is an alpha version and should not be used in production." which is fine but the reason I'm asking is that I'm the maintainer of https://github.com/pyauth/tsp-client - another RFC3161 implementation - which does have some production users and has been relying on the validation routines in PyOpenSSL, which have now been deprecated and removed.

I certainly stand to learn from your efforts in https://github.com/trailofbits/rfc3161-client, but more generally, I think it would be very useful if Cryptography could provide an opinionated but configurable API with tightly controlled defaults but with the ability to adjust them, now that direct access has been removed in PyOpenSSL. Would the profiles API help with that?

checking for a non-critical EKU is not widely done. So IMO there would be no harm in relaxing this criticality check.

This (or the ability to configure this) would allow me to proceed past the current error - I would really appreciate this change. Aside from extension policy handling, I do have the rest of TSR validation working in a standalone manner, so I don't expect further issues although I haven't been able to check yet.

@woodruffw
Copy link
Contributor

Thanks, where can I find more details on the profiles API?

I think @alex is referring to #11165 et al., which is currently informing the implementation of new APIs for configuring extension policies.

@woodruffw thanks for the link to the Trail of Bits RFC3161 client, that looks very relevant. It does carry the warning "This project is an alpha version and should not be used in production." which is fine but the reason I'm asking is that I'm the maintainer of pyauth/tsp-client - another RFC3161 implementation - which does have some production users and has been relying on the validation routines in PyOpenSSL, which have now been deprecated and removed.

We need to tweak that warning 😅 -- it's in production now, although we won't consider the APIs themselves stable until we do a 1.0 release.

@DarkaMaul mind opening a PR on rfc3161-client to mark this as beta instead of alpha + update the classifiers as necessary?

This (or the ability to configure this) would allow me to proceed past the current error - I would really appreciate this change. Aside from extension policy handling, I do have the rest of TSR validation working in a standalone manner, so I don't expect further issues although I haven't been able to check yet.

Understood! I'll take a look at making these changes to the verifier tonight or tomorrow.

@Noha-code
Copy link

Please guys, I have a problem if anyone can help! I'm working on a certificate project on Python with the cryptography library, but for some reason, when I install it, the module x509 is missing. I tried virtual environment, upgrading Python, and upgrading the library, but the problem still persists.

@alex
Copy link
Member

alex commented Dec 13, 2024

Your comment has nothing to do with this issue.

If you need help, please file a separate issue with sufficient details.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

4 participants