Skip to content

Move ExtKeyUsageAny setting outside intermediates check in TPM cert verified#234

Merged
betuls merged 1 commit into
openconfig:mainfrom
muntazirsal:vulnfix
Jul 7, 2026
Merged

Move ExtKeyUsageAny setting outside intermediates check in TPM cert verified#234
betuls merged 1 commit into
openconfig:mainfrom
muntazirsal:vulnfix

Conversation

@muntazirsal

Copy link
Copy Markdown
Contributor

Moves the x509.ExtKeyUsageAny setting in VerifyOptions outside the intermediates check in VerifyAndParsePemCert, ensuring it applies unconditionally to avoid breaking enrollment for single-certificate inputs.

Temp fix for vulnerability:
The VerifyAndParsePemCert function in service/biz/tpm_cert_verifier.go unconditionally overrides certVerificationOpts.KeyUsages to ExtKeyUsageAny when the device-supplied PEM input contains more than one certificate block (line 297). A device participating in TPM enrollment can include an additional PEM block to trigger this code path, causing certificate verification to accept certificates issued for any purpose (e.g., code signing, email protection) rather than enforcing the default ExtKeyUsageServerAuth restriction. This could allow an unauthorized device holding a cross-purpose certificate from a trusted CA to pass identity verification and complete TPM enrollment.

Root Cause
The KeyUsages override to ExtKeyUsageAny is coupled to the intermediate certificate pool construction inside the len(certs) > 1 conditional block at line 297. These are two independent operations — adding intermediates for chain validation and setting the ExtKeyUsage policy — but they are tied to the same attacker-controlled toggle (number of PEM blocks in the device response), creating an inconsistent validation policy based on untrusted input.

@muntazirsal muntazirsal requested a review from a team as a code owner June 23, 2026 22:00
@muntazirsal muntazirsal requested a review from betuls June 23, 2026 22:10

@betuls betuls left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM but please make the suggested text changes.

Comment thread service/biz/tpm_cert_verifier.go Outdated
Comment thread service/biz/tpm_cert_verifier.go Outdated
…erifier

Moves the x509.ExtKeyUsageAny setting in VerifyOptions outside the intermediates check in VerifyAndParsePemCert, ensuring it applies unconditionally to avoid breaking enrollment for single-certificate inputs.

BUG=522385740
TAG=agy
CONV=47e03344-e537-4294-a332-8792b7bba5f4
@betuls betuls merged commit 2aaac25 into openconfig:main Jul 7, 2026
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants