Improving X.509 certificate validation errors
Kurt Roeckx
kurt at roeckx.be
Thu Mar 26 09:19:53 UTC 2020
On Wed, Mar 25, 2020 at 10:21:36PM -0700, Benjamin Kaduk wrote:
> I tihnk it's an interesting idea. To me, perhaps the most valuable part
> would be to accumulate a corpus of certificates/chains that are malformed
> or fail to validate due to a wide variety of errors, almost akin to a
> fuzzing corpus. I'd also be curious (though I'm not entirely sure how
> large a practical impact it would have) to perform a clustering analysis
> across different X.509 implementations and see if different implementations
> produce different distributions of errors. (That is, we might expect each
> implementation to have an error for "not valid yet", "expired", "missing
> required ASN.1 field", etc.; each implementation will have a different
> error string, of course, but if we group all certificates that produce the
> same error with the same implementation together, we have a bunch of
> different clusters. Repeating the clustering across all implementations
> lets us compare the different distributions, and examine certificates that
> end up in a different cluster in different implementations.)
That's what frankencert did.
Kurt
More information about the openssl-project
mailing list