[145371] in cryptography@c2.net mail archive
Re: A mighty fortress is our PKI
daemon@ATHENA.MIT.EDU (Peter Gutmann)
Fri Jul 23 15:07:56 2010
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: cryptography@metzdowd.com, pgut001@cs.auckland.ac.nz
In-Reply-To: <E1ObqW0-0007ar-SM@wintermute02.cs.auckland.ac.nz>
Date: Sat, 24 Jul 2010 01:36:55 +1200
Looks like the CDN certificate is already causing security problems, although
not the kind that I was expecting:
While trying to import a server certificate for a CDN service, a segv bug
was found in [PKI app]. It is likely that this bug is exploitable by
sending a special crafted signed message and having a user verify the
signature.
Hmm, I wonder if this particular certificate happened to be one with 107
subjectAltName entries?
Description
Importing a certificate with more than 98 Subject Alternate Names via import
command or implicitly while verifying a signature causes [...].
Yup :-). So if nothing else it's a good stress test for your certificate-
parsing code...
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
