Reject certs with mismatching outer and inner sig algs

crates/static_ct_api/src/lib.rs

@@ -53,4 +53,6 @@ pub enum StaticCTError {
         "{}certificate submitted to add-{}chain", if *.is_precert { "pre-" } else { "final " }, if *.is_precert { "" } else { "pre-" }
     )]
     EndpointMismatch { is_precert: bool },
+    #[error("mismatching signature algorithm identifier")]
+    MismatchingSigAlg,
 }

crates/static_ct_api/src/rfc6962.rs

@@ -93,10 +93,10 @@ pub fn validate_chain(
     expect_precert: bool,
     require_server_auth_eku: bool,
 ) -> Result<StaticCTPendingLogEntry, StaticCTError> {
-    // First make sure the cert parses as X.509.
+    // First make sure the cert is well-formed.
     let mut iter = raw_chain.iter();
     let leaf: Certificate = match iter.next() {
-        Some(v) => Certificate::from_der(v)?,
+        Some(v) => parse_certificate(v)?,
         None => return Err(StaticCTError::EmptyChain),
     };
 
@@ -136,7 +136,7 @@ pub fn validate_chain(
     // CT is intended to observe certifications rather than police them.
 
     let mut intermediates: Vec<Certificate> = iter
-        .map(|v| Certificate::from_der(v))
+        .map(|v| parse_certificate(v))
         .collect::<Result<_, _>>()?;
 
     // Walk up the chain, ensuring that each certificate signs the previous one.
@@ -352,6 +352,17 @@ fn build_precert_tbs(
     Ok(tbs.to_der()?)
 }
 
+// Parse a certificate and verify that it is well-formed.
+fn parse_certificate(bytes: &[u8]) -> Result<Certificate, StaticCTError> {
+    let cert = Certificate::from_der(bytes)?;
+    // Reject mismatched signature algorithms: https://github.com/google/certificate-transparency-go/pull/702.
+    if cert.signature_algorithm != cert.tbs_certificate.signature {
+        return Err(StaticCTError::MismatchingSigAlg);
+    }
+
+    Ok(cert)
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;
@@ -362,6 +373,12 @@ mod tests {
         u64::try_from(DateTime::parse_from_rfc3339(s).unwrap().timestamp_millis()).unwrap()
     }
 
+    #[test]
+    fn test_mismatched_sig_alg() {
+        // Mismatched signature on leaf.
+        parse_certificate(include_bytes!("../tests/mismatching-sig-alg.pem")).unwrap_err();
+    }
+
     macro_rules! test_is_precert {
         ($name:ident, $cert:expr, $want_precert:expr, $want_err:expr) => {
             #[test]
@@ -479,6 +496,11 @@ mod tests {
         "../tests/fake-intermediate-cert.pem",
         "../tests/test-cert.pem"
     );
+    test_validate_chain_fail!(
+        mismatched_sig_alg_on_intermediate,
+        "../tests/leaf-signed-by-fake-intermediate-cert.pem",
+        "../tests/fake-intermediate-with-mismatching-sig-alg.pem"
+    );
     test_validate_chain_success!(
         valid_chain,
         "../tests/leaf-signed-by-fake-intermediate-cert.pem",

crates/static_ct_api/tests/fake-intermediate-with-mismatching-sig-alg.pem

@@ -0,0 +1,79 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 4792439526061490155 (0x42822a5b866fbfeb)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=GB, ST=London, L=London, O=Google, OU=Eng, CN=FakeCertificateAuthority
+        Validity
+            Not Before: May 13 14:26:44 2016 GMT
+            Not After : Jul 12 14:26:44 2019 GMT
+        Subject: C=GB, ST=London, L=London, O=Google, OU=Eng, CN=FakeIntermediateAuthority
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:ca:a4:0c:7a:6d:e9:26:22:d4:67:19:c8:29:40:
+                    c6:bd:cb:44:39:e7:fa:84:01:1d:b3:04:15:48:37:
+                    fa:55:d5:98:4b:2a:ff:14:0e:d6:ce:27:6b:29:d5:
+                    e8:8d:39:eb:be:97:be:53:21:d2:a3:f2:27:ef:46:
+                    68:1c:6f:84:77:85:b4:68:78:7a:d4:3d:50:49:89:
+                    8f:9e:6b:4a:ce:74:c0:0f:c8:68:38:7e:ae:82:ae:
+                    91:0c:6d:87:24:c4:48:f3:e0:8e:a8:3e:0c:f8:e1:
+                    e8:7f:a1:dd:29:f4:d0:eb:3a:b2:38:77:0f:1a:4e:
+                    a6:14:c4:b1:db:5b:ed:f9:a4:f0:9d:1e:d8:a8:d0:
+                    40:28:d6:fc:69:44:0b:37:37:e7:d6:fd:29:b0:70:
+                    36:47:00:89:81:5a:c9:51:cf:2d:a0:80:76:fc:d8:
+                    57:28:87:81:71:e4:10:4b:39:16:51:f2:85:ed:a0:
+                    34:41:bf:f3:52:28:f1:cd:c4:dc:31:f9:26:14:fd:
+                    b6:65:51:2f:76:e9:82:94:fc:2a:be:1a:a0:58:54:
+                    d8:b5:de:e3:96:08:07:50:3d:0e:35:26:e5:3a:c7:
+                    67:e8:8d:b6:f1:34:61:f6:0c:47:d2:fd:0b:51:cf:
+                    a6:99:97:d4:26:a1:12:14:dd:a2:0e:e5:68:4d:75:
+                    f7:c5
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Authority Key Identifier:
+                01:02:03:04
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:0
+            X509v3 Key Usage: critical
+                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign, Encipher Only, Decipher Only
+    Signature Algorithm: ecdsa-with-SHA256
+    Signature Value:
+        01:e2:3a:0c:00:bc:4c:e1:ac:d3:10:54:0c:fc:6b:e4:ac:c8:
+        c2:00:05:74:39:3f:c5:9b:25:e1:e3:90:88:a9:13:8f:b9:66:
+        99:2b:65:55:ea:f6:9f:30:39:d9:18:9c:e1:f1:e1:63:62:f4:
+        f5:46:41:b2:c6:f4:8b:9f:87:d7:e9:93:c7:32:c9:15:83:8b:
+        e5:76:d3:f0:8d:36:d6:b0:32:ad:c2:95:5d:dd:58:2f:7c:4e:
+        3e:16:5f:f0:57:0c:27:98:da:32:b8:8d:81:95:f9:db:38:dc:
+        76:15:d1:3a:01:9a:fb:eb:71:ca:bf:53:bc:d8:30:61:5c:42:
+        22:81:0a:5c:f9:6d:31:3e:18:cb:eb:65:67:0e:e4:0f:cb:87:
+        7f:22:d9:84:85:d6:2f:12:7c:35:67:00:e0:65:02:06:66:96:
+        57:21:78:7a:46:b1:67:d2:9d:db:88:96:55:2f:4e:c4:6f:10:
+        8b:1a:6a:a7:d5:2e:5e:50:a5:15:c1:3a:af:2d:6e:32:bc:e7:
+        fd:a0:e9:e6:ab:d6:8c:4f:84:9d:70:f6:17:6c:f9:64:c5:5e:
+        49:87:91:6b:ca:25:e6:d8:d7:7b:77:39:f4:a3:03:28:5a:45:
+        2b:7c:85:dc:c3:cc:74:c5:c2:33:e3:1d:3f:21:e9:d5:3b:fe:
+        13:1d:91:48
+-----BEGIN CERTIFICATE-----
+MIIDmjCCAoWgAwIBAgIIQoIqW4Zvv+swDQYJKoZIhvcNAQELBQAwcTELMAkGA1UE
+BhMCR0IxDzANBgNVBAgMBkxvbmRvbjEPMA0GA1UEBwwGTG9uZG9uMQ8wDQYDVQQK
+DAZHb29nbGUxDDAKBgNVBAsMA0VuZzEhMB8GA1UEAwwYRmFrZUNlcnRpZmljYXRl
+QXV0aG9yaXR5MB4XDTE2MDUxMzE0MjY0NFoXDTE5MDcxMjE0MjY0NFowcjELMAkG
+A1UEBhMCR0IxDzANBgNVBAgMBkxvbmRvbjEPMA0GA1UEBwwGTG9uZG9uMQ8wDQYD
+VQQKDAZHb29nbGUxDDAKBgNVBAsMA0VuZzEiMCAGA1UEAwwZRmFrZUludGVybWVk
+aWF0ZUF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMqk
+DHpt6SYi1GcZyClAxr3LRDnn+oQBHbMEFUg3+lXVmEsq/xQO1s4naynV6I05676X
+vlMh0qPyJ+9GaBxvhHeFtGh4etQ9UEmJj55rSs50wA/IaDh+roKukQxthyTESPPg
+jqg+DPjh6H+h3Sn00Os6sjh3DxpOphTEsdtb7fmk8J0e2KjQQCjW/GlECzc359b9
+KbBwNkcAiYFayVHPLaCAdvzYVyiHgXHkEEs5FlHyhe2gNEG/81Io8c3E3DH5JhT9
+tmVRL3bpgpT8Kr4aoFhU2LXe45YIB1A9DjUm5TrHZ+iNtvE0YfYMR9L9C1HPppmX
+1CahEhTdog7laE1198UCAwEAAaM4MDYwDwYDVR0jBAgwBoAEAQIDBDASBgNVHRMB
+Af8ECDAGAQH/AgEAMA8GA1UdDwEB/wQFAwMH/4AwCgYIKoZIzj0EAwIDggEBAAHi
+OgwAvEzhrNMQVAz8a+SsyMIABXQ5P8WbJeHjkIipE4+5ZpkrZVXq9p8wOdkYnOHx
+4WNi9PVGQbLG9Iufh9fpk8cyyRWDi+V20/CNNtawMq3ClV3dWC98Tj4WX/BXDCeY
+2jK4jYGV+ds43HYV0ToBmvvrccq/U7zYMGFcQiKBClz5bTE+GMvrZWcO5A/Lh38i
+2YSF1i8SfDVnAOBlAgZmllcheHpGsWfSnduIllUvTsRvEIsaaqfVLl5QpRXBOq8t
+bjK85/2g6ear1oxPhJ1w9hds+WTFXkmHkWvKJebY13t3OfSjAyhaRSt8hdzDzHTF
+wjPjHT8h6dU7/hMdkUg=
+-----END CERTIFICATE-----

crates/static_ct_api/tests/mismatching-sig-alg.pem

@@ -0,0 +1,38 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 0 (0x0)
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer:
+        Validity
+            Not Before: Nov 10 23:00:00 2009 GMT
+            Not After : Aug 10 23:00:00 2019 GMT
+        Subject:
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:27:0c:60:cf:ca:31:8a:91:db:8f:67:c7:95:04:
+                    6d:df:18:31:99:2c:97:8a:71:8d:7b:c2:b9:79:3d:
+                    02:86:21:a9:1b:5a:0c:55:03:cc:cc:18:2c:1b:96:
+                    52:81:dc:70:62:7f:c9:f4:67:cd:d3:f4:43:31:b4:
+                    a5:75:0b:19:3b
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Subject Alternative Name: critical
+                DNS:asd
+    Signature Algorithm: ecdsa-with-SHA384
+    Signature Value:
+        30:44:02:20:3b:b7:b6:5d:a4:13:a1:f2:d8:42:5e:36:b9:e5:
+        41:7a:90:1c:ea:45:3f:11:6e:b7:b0:7d:b0:f7:bc:22:8b:35:
+        02:20:25:7a:88:77:4c:8a:fd:9d:e8:93:33:93:6d:f7:c3:80:
+        ba:a1:1c:51:3e:04:b6:7f:c1:ff:a2:3a:c4:87:ac:f9
+-----BEGIN CERTIFICATE-----
+MIIBAjCBqqADAgECAgEAMAoGCCqGSM49BAMCMAAwHhcNMDkxMTEwMjMwMDAwWhcN
+MTkwODEwMjMwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJwxgz8ox
+ipHbj2fHlQRt3xgxmSyXinGNe8K5eT0ChiGpG1oMVQPMzBgsG5ZSgdxwYn/J9GfN
+0/RDMbSldQsZO6MVMBMwEQYDVR0RAQH/BAcwBYIDYXNkMAoGCCqGSM49BAMDA0cA
+MEQCIDu3tl2kE6Hy2EJeNrnlQXqQHOpFPxFut7B9sPe8Ios1AiAleoh3TIr9neiT
+M5Nt98OAuqEcUT4Etn/B/6I6xIes+Q==
+-----END CERTIFICATE-----