Skip to content

fix(tls): require a verified leaf key for CertificateVerify#10

Open
alanhoff wants to merge 1 commit into
endel:mainfrom
alanhoff:fix/tls-certificate-verify-leaf-key-required
Open

fix(tls): require a verified leaf key for CertificateVerify#10
alanhoff wants to merge 1 commit into
endel:mainfrom
alanhoff:fix/tls-certificate-verify-leaf-key-required

Conversation

@alanhoff
Copy link
Copy Markdown

@alanhoff alanhoff commented Mar 17, 2026

Summary

  • fail closed when verified server authentication receives an empty Certificate list or an oversized extracted leaf public key
  • require CertificateVerify to have a stored leaf verification key instead of silently skipping signature validation
  • add regression tests for the empty-certificate, oversized-key, and missing-leaf-key paths

Vulnerability

With certificate verification enabled, the client currently stores the leaf public key only when it happens to fit the fixed 600-byte verification buffer. If the server sends an empty certificate list, or sends a leaf certificate whose extracted public key is larger than that buffer, leaf_pub_key_len stays zero and the later CertificateVerify step is skipped entirely.

Concrete examples:

  • a malicious server can send an empty certificate_list and still continue into CertificateVerify, because the client never raises an error before the signature check gate
  • a malicious or mis-issued certificate containing an oversized SubjectPublicKeyInfo/public key encoding leaves leaf_pub_key_len at zero, which previously disabled signature verification the same way
  • once the signature check is skipped, an on-path attacker can present arbitrary handshake messages and impersonate the server even though skip_cert_verify is false

Validation

  • zig build test
  • zig build
  • zig build fuzz
  • gh issue list --repo endel/quic-zig --search "CertificateVerify empty certificate list oversized key tls13" --limit 20

References

@alanhoff @codex
fix(tls): require a verified leaf key for CertificateVerify
9c41f1e 
Fail closed when certificate verification is enabled but the server Certificate message is empty or the extracted leaf public key does not fit the verification buffer, and add regression tests for the empty-list, oversized-key, and missing-leaf-key paths.

Co-authored-by: Codex <noreply@openai.com>
Copilot AI review requested due to automatic review settings March 17, 2026 20:53
Copilot AI reviewed Mar 17, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the TLS 1.3 client authentication path by ensuring CertificateVerify signature validation cannot be skipped when certificate verification is enabled, closing a vulnerability where an empty certificate list or oversized leaf key could bypass verification.

Changes:

  • Fail closed during Certificate processing when verification is enabled but the server sends an empty certificate list.
  • Store (and require) a verified leaf public key for CertificateVerify; reject empty/oversized extracted leaf keys and error if the key is missing at CertificateVerify.
  • Add regression tests covering empty certificate list, oversized leaf key, and missing-leaf-key during CertificateVerify.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alanhoff