crypto/x509: CheckSignatureFrom does not verify Issuer matches parent's Subject

[jsha]

1. What version of Go are you using (go version)?
   go version go1.6 linux/amd64
2. What operating system and processor architecture are you using (go env)?
   GOARCH="amd64"
   GOBIN="/home/jsha/gopkg/bin"
   GOEXE=""
   GOHOSTARCH="amd64"
   GOHOSTOS="linux"
   GOOS="linux"
   GOPATH="/home/jsha/gopkg"
   GORACE=""
   GOROOT="/home/jsha/go1.6"
   GOTOOLDIR="/home/jsha/go1.6/pkg/tool/linux_amd64"
   GO15VENDOREXPERIMENT="1"
   CC="gcc"
   GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0"
   CXX="g++"
   CGO_ENABLED="1"
3. What did you do?
   https://play.golang.org/p/4Q5wwbag_y
4. What did you expect to see?
   Runs successfully, no errors

Per https://tools.ietf.org/html/rfc5280#page-73,

the path validation process verifies, among other
   things, that a prospective certification path (a sequence of n
   certificates) satisfies the following conditions:
(a)  for all x in {1, ..., n-1}, the subject of certificate x is
           the issuer of certificate x+1;

However, in the test code linked above, ee.CheckSignatureFrom(issuer2) returns a nil error, even though the subject of issuer2 is not equal to the issuer of ee.

1. What did you see instead?
   Successfully verified signature on EE cert from issuer2, expected failure.

[bradfitz]

/cc @agl

[quentinmit]

@agl Is this important for Go 1.7?

[agl]

I don't believe that this warrant rushing for 1.7.

[odeke-em]

Thanks for the issue and repro @jsha. I was bored this evening and decided to take a stab at this with https://go-review.googlesource.com/23571 using most of your repro in the tests. I couldn't find your email though @jsha and so far I have requested a review only from @agl. Please free free to join in.

[gopherbot]

CL https://golang.org/cl/23571 mentions this issue.

[ianlancetaylor]

Per agl's comment above and his comment on the CL, postponing to 1.8.

[agl]

Here's the list of certificates from the Pilot CT log where the chain contains a link that needs canonicalisation before the Subject and Issuer match. It shows the common name of the certificates in that link followed by the common names of each (unexpired) leaf certificate affected by that link.

There's a small number of public certificates affected, mostly by Siemens and WellsFargo's internal CAs. (The UCA root doesn't appear to be in Mozilla yet.)

I'll wait for comments but, based on this, it looks viable that we would want to require a strict match of issuer/subject when checking chains. (I.e. these certificates would break.)

SHECA G2 -> UCA Root (1)
   SHECA G2
Justica -> ECRaizEstado (1)
   servicos.igsj.mj.pt
AC Firmaprofesional - CUALIFICADOS -> Autoridad de Certificacion Firmaprofesional CIF A62634068 (1)
   AC Firmaprofesional - CUALIFICADOS
Siemens Issuing CA Class Internet Server 2013 -> Siemens Internet CA V1.0 (51)
   www.industry.siemens.com
   sts-online.siemens.com
   www.industry.siemens.com
   boardroom.siemens.com
   cl.siemens.com
   events.siemens.nl
   messagecockpit.siemens.com
   Siemens Issuing CA Class Internet Server 2013
   inet.usa.siemens.com
   brandville.siemens.com
   www.weblogx.siemens.de
   www.automatyka.siemens.pl
   www.industry.siemens.pl
   www.low-medium-voltage.siemens.pl
   www.buildingtechnologies.siemens.pl
   www.mobility.siemens.pl
   bt-service.siemens.nl
   author.siemens.com
   SMARTBUY.SIEMENS.COM.CN
   scdlite.realestate.siemens.com
   mes-simaticit.siemens.com
   socialmedia.siemens.com
   ura-cyp.industrysoftware.automation.siemens.com
   mx.siemens.com.hk
   ura-col.industrysoftware.automation.siemens.com
   download.industrysoftware.automation.siemens.com
   shop.healthcare.siemens.com
   social.siemens.com
   training.plm.automation.siemens.com
   www.smc.siemens.de
   teamplay.siemens.com
   www.plm.automation.siemens.com
   plmapps.industrysoftware.automation.siemens.com
   psa.industrysoftware.automation.siemens.com
   salesforce.industrysoftware.automation.siemens.com
   m.plm.automation.siemens.com
   www2.industrysoftware.automation.siemens.com
   sales.industrysoftware.automation.siemens.com
   eintegration.siemens.es
   webapp.siemens.it
   pkiss-activate-card.siemens.com
   pkiss-emergency.siemens.com
   gate.public.siemens.com
   www.siemens.com.hk
   www.ubc.siemens.com.cn
   webtac.industrysoftware.automation.siemens.com
   www.sitrain-int.siemens.com
   partners.sea.siemens.com
   adminaccess.public.siemens.com
   pkidownload.siemens.com
   lmdcontent.industrysoftware.automation.siemens.com
www.medsrv1.com -> AC Firmaprofesional - INFRAESTRUCTURA (1)
   www.medsrv1.com
SHECA G2-1 -> UCA Root (35)
   SHECA G2-1
   fmis.cdtfc.com.cn
   ef-g21.wwwtrust.org
   www.en.sge.com.cn
   www.sge.com.cn
   *.haier.com
   my.iport.com.cn
   capital.hitachi-clc.com.cn
   cashflow-cn.kerryprops.com
   cw.jxcc.com
   www.ibjl-cn.com
   www.ewppay.cn
   *.shtel.com.cn
   www.beckmancoulterdealer.com.cn
   mis.baofinance.com
   shjljg.scofcom.gov.cn
   www.gss-sh.org
   www.beckmancoulterdealer.com.cn
   yf.sh.cn
   epay.whfhjc.com.cn
   loan.jlcwgs.com
   kenki.hitachi-clc.com.cn
   orgs.stcsm.gov.cn
   www.payvel.com
   116.236.233.34
   shca.stats-sh.gov.cn
   umsp.sheca.com
   sso.fangdi.com.cn
   116.236.233.34
   www.962600.com
   www.ouyeeljg.com
   www.ibjl-cn.com
   www.beckmancoulterdealer.com.cn
   yunpan.bsteel.com
   oa.sdmsa.gov.cn
email.fub.edu -> AC Firmaprofesional - INFRAESTRUCTURA (1)
   email.fub.edu
usowa.gamesacorp.com -> AC Firmaprofesional - INFRAESTRUCTURA (1)
   usowa.gamesacorp.com
mail.lactalisiberia.com -> AC Firmaprofesional - INFRAESTRUCTURA (1)
   mail.lactalisiberia.com
*.cofib.es -> AC Firmaprofesional - INFRAESTRUCTURA (1)
   *.cofib.es
NRC SSP Agency CA G3 -> Symantec SSP Intermediate CA - G4 (1)
   NRC SSP Agency CA G3
NRC SSP Device CA G3 -> Symantec SSP Intermediate CA - G4 (1)
   NRC SSP Device CA G3
CA974000002 -> GPKIRootCA (1)
   CA974000002
www.csn.es -> AC Firmaprofesional - INFRAESTRUCTURA (1)
   www.csn.es
COMODO EV SGC CA -> AAA Certificate Services (1)
   COMODO EV SGC CA
www.coflugo.org -> AC Firmaprofesional - INFRAESTRUCTURA (1)
   www.coflugo.org
www.rgjr.cn -> CFCA OCA2 (1)
   www.rgjr.cn
www.alarmasip.es -> AC Firmaprofesional - INFRAESTRUCTURA (1)
   www.alarmasip.es
www.rycard.com -> CFCA OCA2 (1)
   www.rycard.com
WoSign Class 3 OV Server CA -> Certification Authority of WoSign (6)
   www.huiyuanbao.com
   trade1.chinalions.com
   trade2.chinalions.com
   nbp.szzfgjj.com
   mdmservice.hnagroup.net
   WoSign Class 3 OV Server CA
Siemens Issuing CA EE Enc -> Siemens Internet CA V1.0 (1)
   Siemens Issuing CA EE Enc
CA134040001 -> GPKIRootCA (2)
   CA134040001
   CA134040001
sso.gamesacorp.com -> AC Firmaprofesional - INFRAESTRUCTURA (1)
   sso.gamesacorp.com
*.ayto-miguelturra.es -> AC Firmaprofesional - INFRAESTRUCTURA (1)
   *.ayto-miguelturra.es
SHECA Global G2 SSL -> UCA Global Root (58)
   www.guanker.com
   www.sheca.com
   SHECA Global G2 SSL
   ycds.cathay-ins.com.cn
   www.sheca.com
   www.payvel.com
   insurance.shanghai-electric.com
   *.huashan.org.cn
   www.962600.com
   mail.chicgroup.com
   tstinter.nissay-greatwall.com.cn
   58.247.21.59
   inter.nissay-greatwall.com.cn
   *.qd-n-tax.gov.cn
   *.ccb-life.com.cn
   www.smflvce.com
   *.gwcslife.com
   www.watchf.cn
   gpm.eland.com
   www.962600.com
   www.sheca.com
   www.imtrust.com
   www.imtrust.org
   www.sh-immigration.gov.cn
   fund.dzqh.com.cn
   www.letusign.com

   *.jusstickets.com
   vpn.chicgroup.com
   mail.snnu.edu.cn
   ca3.sheca.com
   ra.sheca.com
   sxfs.95516.com
   payupdate.sheca.com
   isap.sheca.com
   www.smflgz.com.cn
   app.kyee.com.cn
   oa.sheca.com
   sithc.shciq.gov.cn
   61.152.215.248
   ebank.baofinance.com
   *.chubb.com.cn
   xxbs.sh.gov.cn
   *.chubb.com.cn
   cqweb.thalessaic.com.cn
   *.e-celap.com
   sefc.shanghai-electric.com
   www.smflsh.com.cn
   58.210.143.12
   *.saicfc.com
   fxbc.shfdsc.com
   *.stcsm.gov.cn
   www.yuanjutong.com
   vpn.minette.cn
   ad.semir.com
   vpn.semir.com
   user.114mall.com
   vpn.balabala.cn
e.coaib.org -> AC Firmaprofesional - INFRAESTRUCTURA (1)
   e.coaib.org
aru.enaire.es -> AC Firmaprofesional - INFRAESTRUCTURA (1)
   aru.enaire.es
www.idvroom.com -> KEYNECTIS SSL RGS (1)
   www.idvroom.com
ibs.wooribankchina.com -> CFCA OCA2 (1)
   ibs.wooribankchina.com
U.S. Department of Transportation Device CA G4 -> Symantec SSP Intermediate CA - G4 (1)
   U.S. Department of Transportation Device CA G4
Siemens Issuing CA Multipurpose 2013 -> Siemens Internet CA V1.0 (1)
   Siemens Issuing CA Multipurpose 2013
serviciosremotos.saludcastillayleon.es -> AC Firmaprofesional - INFRAESTRUCTURA (1)
   serviciosremotos.saludcastillayleon.es
WellsSecure Certification Authority 01 G2 -> WellsSecure Public Root Certification Authority 01 G2 (98)
   pay-staging.wfhealthcarepatientpay.com
   www.wellsfargoretirement.com
   online.wfhealthcarepatientpay.com
   pay.wfhealthcarepatientpay.com
   emm.wellsfargorewards.com
   www.mywellsfargorewardsemm.com
   www.earnmoremall.com
   estatus.wellsfargo.com
   www.myfirsthome.wellsfargobank.com
   www.myfirsthome.wellsfargobank.com
   www.wealthmanagementinsights.com
   www.eloansecure.com
   wfefs.wellsfargo.com
   efs.wellsfargo.com
   mobilemerchantcenter.wf.com
   www.wellsfargo401konline.com
   bizgift.wellsfargobank.com
   wellsfargocapitalfinance.com
   dealerreports.wellsfargo.com
   adminfix.accesswca.com
   admin.accesswca.com
   ceomobilefix.wellsfargo.com
   mdm2.eml.wellsfargo.com
   newsearch.wellsfargoadvantagefunds.com
   saml.wf.com
   csfedportaluatsp-ext.wellsfargo.com
   ceomobileuata.wellsfargo.com
   wls-cte1.wellsfargo.com
   mailpouchuat2.wellsfargo.com
   virtuallockbox.wf.com
   wwwfix.servicerconnect.com
   nsprotect.eml.wellsfargo.com
   bp-tch.wellsfargo.com
   achgp.wellsfargo.com
   vera-nc1.wellsfargo.com
   onlineenrolluat.wellsfargo.com
   wellsfsuat.wf.com
   wcafsfix.wellsfargo.com
   mxdioc01.wellsfargo.com
   wellsadminfix.wellsfargo.com
   wellscontent.wellsfargo.com
   pwb.wellsfargo.com
   floorplansolutionuat.wf.com
   floorplansolution.wf.com
   claimspayments.wf.com
   whlssp.wellsfargo.com
   www.neighborhoodlift.org
   fsfix.accesswca.com
   rmoluat.wellsfargo.com
   wellstrust.wellsfargo.com
   lsrt.wfhmevents.com
   fix.accesswca.com
   realstpfix.wellsfargo.com
   online-staging.wfhealthcarepatientpay.com
   wifp.wellsfargo.com
   wellstrade.wellsfargo.com
   www.citylift.com
   offeringmaterials.wellsfargosecurities.com
   wconnect.eastdilsecured.com
   purl.stage.bluespiremarketing.net
   wellsadminuat.wellsfargo.com
   onlineenrollfix.wellsfargo.com
   sso-1mgm-cert.wellsfargo.com
   www.mycitylift.org
   test.wfb.pointserv.com
   sso-1mgm.wellsfargo.com
   corestates.com
   gpowrpt.wellsfargo.com
   ceomobilesit2.wf.com
   ceoadmin.wellsfargo.com
   www.mycitylift.net
   advantagefunds.wellsfargo.com
   sso-1mgm-dr.wellsfargo.com
   www.neighborhoodlift.net
   wellsfsuat.wellsfargo.com
   www.mycitylift.com
   www.citylift.org
   wqa-itn-srv1.qaitn.com
   smcwva029.eml.wellsfargo.com
   rmol.wellsfargo.com
   wcafs.wellsfargo.com
   m2mhubuat.wellsfargo.com
   chk1.eml.wellsfargo.com
   www2.wellsfargofunds.com
   ceofraudmanager.wellsfargo.com
   www2.wellsfargoadvantagefunds.com
   cibt-dp-del.test.wellsfargo.com
   gpow.wellsfargo.com
   wifpuat.wellsfargo.com
   sba504servicing-uat.wellsfargo.com
   mail.wellsfargochampionship.com
   wwwfix.ctslink.com
   m2mhub.wellsfargo.com
   lockbox.wf.com
   fs.accesswca.com
   smtp.eastdilsecured.com
   rmolfix.wellsfargo.com
   ipsfix.wellsfargo.com
www.citinavarra.com -> AC Firmaprofesional - INFRAESTRUCTURA (1)
   www.citinavarra.com
U.S. Department of Transportation Agency CA G4 -> Symantec SSP Intermediate CA - G4 (1)
   U.S. Department of Transportation Agency CA G4
Verizon Cybertrust Security Customer CA -> Verizon Business Primary CA (1)
   Verizon Cybertrust Security Customer CA

[jsha]

To me, this list looks small enough that it seems reasonable to require the strict match even though these certs would not validate.