From 110e5341eb322087c9847a9d4041692b5daecb95 Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Wed, 22 Jan 2025 14:27:22 +0000 Subject: [PATCH 1/3] Add X.509 formatting validation to SECURITY.md Clarify that strict formatting of X.509 certificates is not checked by Mbed TLS and that it therefore should not be used to construct a CA. Signed-off-by: David Horstmann --- SECURITY.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index 732335b233..b4d564ef44 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -135,3 +135,17 @@ Guide](docs/architecture/alternative-implementations.md) for more information. - Use cryptographic mechanisms that are not based on block ciphers. In particular, for authenticated encryption, use ChaCha20/Poly1305 instead of block cipher modes. For random generation, use HMAC\_DRBG instead of CTR\_DRBG. + +#### Formatting of X.509 certificates and certificate signing requests + +When parsing X.509 certificates and certificate signing requests (CSRs), +Mbed TLS does not check that they are strictly compliant with X.509 and other +relevant standards. In the case of signed certificates, the signing party is +assumed to have performed this validation (and the certificate is trusted to +be correctly formatted as long as the signature is correct). +Similarly, CSRs are implicitly trusted by Mbed TLS to be standards-compliant. + +**Warning!** Mbed TLS must not be used to sign untrusted CSRs unless extra +validation is performed separately to ensure that they are compliant to the +relevant specifications. This makes Mbed TLS on its own unsuitable use in a +Certificate Authority (CA). From 2c400fc1a2211991522cb3e66c18647f53dac6bf Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Wed, 22 Jan 2025 14:48:58 +0000 Subject: [PATCH 2/3] Add paragraph on undefined behaviour Add a note that we do aim to protect against undefined behaviour and undefined behaviour in certificate parsing is in scope. Signed-off-by: David Horstmann --- SECURITY.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index b4d564ef44..e6d0bbff08 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -149,3 +149,8 @@ Similarly, CSRs are implicitly trusted by Mbed TLS to be standards-compliant. validation is performed separately to ensure that they are compliant to the relevant specifications. This makes Mbed TLS on its own unsuitable use in a Certificate Authority (CA). + +However, Mbed TLS aims to protect against memory corruption and other +undefined behavior when parsing certificates and CSRs. If a CSR or signed +certificate causes undefined behavior when it is parsed by Mbed TLS, that +is considered a security vulnerability. From 09d0b71d2b81972eea56bf254b669d6dc3887ba6 Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Thu, 23 Jan 2025 10:28:06 +0000 Subject: [PATCH 3/3] Fix missing-word typo Signed-off-by: David Horstmann --- SECURITY.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index e6d0bbff08..d6c8f43fb6 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -147,8 +147,8 @@ Similarly, CSRs are implicitly trusted by Mbed TLS to be standards-compliant. **Warning!** Mbed TLS must not be used to sign untrusted CSRs unless extra validation is performed separately to ensure that they are compliant to the -relevant specifications. This makes Mbed TLS on its own unsuitable use in a -Certificate Authority (CA). +relevant specifications. This makes Mbed TLS on its own unsuitable for use in +a Certificate Authority (CA). However, Mbed TLS aims to protect against memory corruption and other undefined behavior when parsing certificates and CSRs. If a CSR or signed