[kmail2] [Bug 385687] New: certification path validation
bugzilla_noreply at kde.org
bugzilla_noreply at kde.org
Fri Oct 13 07:51:13 BST 2017
https://bugs.kde.org/show_bug.cgi?id=385687
Bug ID: 385687
Summary: certification path validation
Product: kmail2
Version: 5.1.3
Platform: Kubuntu Packages
OS: Linux
Status: UNCONFIRMED
Severity: major
Priority: NOR
Component: crypto
Assignee: kdepim-bugs at kde.org
Reporter: ekaratsiolis at mtg.de
Target Milestone: ---
Created attachment 108326
--> https://bugs.kde.org/attachment.cgi?id=108326&action=edit
Test cases containing certification paths and signed emails.
Dear KMail Team,
for a project we evaluate the certification path construction and validation of
different libraries and applications. One application on this set is KMail
5.1.3 with Kleopatra 2.2.0. We found a few issues which I present to you.
Please find them at the end of the email.
Especially CERT_PATH_COMMON_05 is interesting. In this case a certificate with
wrong encoding is placed in the S/MIME structure. In this case the signature is
ignored totally and the email appears as a standard email without signature.
Also the CRL tests could not be performed. Every CRL for each test is placed in
a distinct crldp on the same server. Once the first test where one CRL is
downloaded runs, it seems that for all later tests only the first CRL is used
(cahcing), the new CRLs are not downloaded and the application evaluates the
first CRL for resolving the revocation status of a certificate. Therefore
almost every CRL test fails.
The test case with the chain of certificates is provided as an attachement. A
small README file briefly explains the structure of the tests.
Best Regards
Vangelis Karatsiolis
Test Results:
Test Name | Evaluation | Expected Result | Application result |
CERT_PATH_ALGO_STRENGTH_01|ERROR|INVALID|VALID|
Checks the behaviour of the application when an insecure hash algorithm has
been used in the production of the intermediate certificate's signature. This
path is not valid, because the hash algorithm is insecure.
-----------------------------------------------------------------------
CERT_PATH_ALGO_STRENGTH_02|ERROR|INVALID|VALID
Checks the behaviour of the application when an insecure hash algorithm has
been used in the production of the target certificate's signature. This path is
not valid, because the hash algorithm is insecure.
-----------------------------------------------------------------------
CERT_PATH_COMMON_05|ERROR|INVALID|n/a|
Checks the behaviour of the application when a certificate has a wrong DER
encoding. This path is not valid, because the certificate is not a properly
encoded structure.
-----------------------------------------------------------------------
CERT_PATH_COMMON_08|ERROR|INVALID|VALID
Checks the behaviour of the application when an intermediate certificate has
expired (now > notAfter). This path is not valid, because one CA certificate
has expired.
-----------------------------------------------------------------------
CERT_PATH_COMMON_10|ERROR|INVALID|VALID
Checks the behaviour of the application when the target certificate has expired
(now > notAfter). This path is not valid, because the target certificate has
expired.
-----------------------------------------------------------------------
CERT_PATH_COMMON_13|ERROR|VALID|INVALID
Checks the behaviour of the application when a self-issued certificate is found
in the path. This path is not invalid, because self-issued certificates are
allowed in the path and processing rules have been specified.
-----------------------------------------------------------------------
CERT_PATH_EMAIL_04|ERROR|INVALID|VALID
Checks the behaviour of an email client when the target certificate specifies
an EKU other than emailProtection or anyExtendedKeyUsage. This path is invalid.
When this extension is present, then it must contain one of those two values.
-----------------------------------------------------------------------
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the Kdepim-bugs
mailing list