Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Investigate the root cause of the self-signed certificate bug #115

Closed
2 tasks done
sreya opened this issue Jul 11, 2023 · 2 comments
Closed
2 tasks done

Investigate the root cause of the self-signed certificate bug #115

sreya opened this issue Jul 11, 2023 · 2 comments
Assignees
@code-asher

Comments

@sreya
Copy link

sreya commented Jul 11, 2023
edited by code-asher
Loading

Self-signed certificates do not seem to work correctly due to a suspected issue in Electron. There is some uncertainty on how this can be the case given that the issue does not seem to appear in Chrome which Electron seems to inherit from. This issue is to track the root cause of the bug, even if we cannot directly fix it since the bug is upstream. Additionally, we should add workaround commands to this issue:

  • Add workaround commands
  • Find root cause of bug
@sreya sreya mentioned this issue Jul 11, 2023
Closed
@code-asher
Copy link
Member

code-asher commented Jul 11, 2023
edited
Loading

The cause I found is when a self-signed certificate is not marked as being capable of signing. In OpenSSL this is not required but with BoringSSL it seems to be.

The key usage is checked here:
https://github.com/google/boringssl/blob/9fc1c33e9c21439ce5f87855a6591a9324e569fd/crypto/x509v3/v3_purp.c#L783-L785

Which causes it to take this route:
https://github.com/google/boringssl/blob/9fc1c33e9c21439ce5f87855a6591a9324e569fd/crypto/x509/x509_vfy.c#L1710

By contrast, notice openssl has code that circumvents this check for self-signed certificates:
https://github.com/openssl/openssl/blob/0a3733babbbb4e297ccfbc3ece29e95cafca5f2d/crypto/x509/x509_vfy.c#L1837-L1847
https://github.com/openssl/openssl/blob/0a3733babbbb4e297ccfbc3ece29e95cafca5f2d/crypto/x509/x509_vfy.c#L1883-L1896
https://github.com/openssl/openssl/blob/0a3733babbbb4e297ccfbc3ece29e95cafca5f2d/crypto/x509/x509_vfy.c#L572-L601

How to verify if your certificate has this issue

  1. Run openssl x509 -in /path/to/cert -text -noout
  2. Check the extensions section to see if your certificate has a key usage and whether it supports signing. If it includes Key Usage but the value does not include Certificate Sign then it is broken.

Example of a broken certificate:

        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Subject Alternative Name: 
                DNS:localhost
            X509v3 Subject Key Identifier: 
                1B:BA:6D:A5:0C:DB:CE:53:87:61:BC:77:F4:22:F3:3B:2A:1B:84:E

Example of a working certificate that specifies signing:

        X509v3 extensions:
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment, Certificate Sign
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Subject Alternative Name: 
                DNS:localhost
            X509v3 Subject Key Identifier: 
                36:CB:FD:30:9F:7F:5E:76:82:01:85:89:6A:87:5D:AA:6E:45:9D:8C

Example of a working certificate that does not set Key Usage at all:

        X509v3 extensions:
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Subject Alternative Name: 
                DNS:localhost
            X509v3 Subject Key Identifier: 
                61:3D:FB:5A:35:E5:C4:DD:E0:C7:BF:C1:BC:48:7A:51:A8:AE:03:52

Workarounds

How to generate a working certificate with openssl

With openssl the default does not set keyUsage so there is nothing more to do. However if you are setting the key usage then make sure to include keyCertSign. For example, this might look something like this:

  openssl req -x509 -nodes -newkey rsa:2048 \
              -keyout localhost.key -out localhost.crt \
              -addext "keyUsage = digitalSignature, keyEncipherment, keyCertSign" \
              -addext "subjectAltName=DNS:localhost" \
              -subj "/CN=localhost"

Alternatively, if you are using a config file then you can add keyCertSign there instead of using a flag. For example:

cat > openssl.cfg << EOF
[v3_req]
keyUsage  = digitalSignature, keyEncipherment, keyCertSign
extendedKeyUsage = clientAuth, serverAuth
subjectAltName = DNS:localhost
EOF

openssl req -x509 -nodes -newkey rsa:2048 \
            -keyout localhost.key -out localhost.crt \
            -config openssl.cfg -extensions v3_req \
            -subj "/CN=localhost"

How to generate a working certificate with New-SelfSignedCertificate in Powershell:

Add the extra signing usage using CertSign:

New-SelfSignedCertificate -Subject localhost -CertStoreLocation Cert:\CurrentUser\My -KeyUsage DigitalSignature,KeyEncipherment,CertSign

Removing the key usage altogether also appears to work although this could have other consequences that I have not investigated:

New-SelfSignedCertificate -Subject localhost -CertStoreLocation Cert:\CurrentUser\My -KeyUsage None

@code-asher
Copy link
Member

In some cases the VS Code plugin reports that something is self-signed when really it is a partial chain.

So this is another possible cause of the issue. In this case the solution is to provide the full chain, either by putting intermediates on the system or serving them bundled together with the leaf certificate.

@sreya sreya closed this as completed Jul 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@code-asher code-asher

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sreya @code-asher