Abstract:
X.509 certificates are important building blocks of modern public key infrastructures. They are used in protocols like TLS for the authentication of peers and the establishment of key material. By verifying that a certificate was, perhaps transitively, issued by trusted authorities, peers can determine the authenticity of the certificate’s owner. Since this verification procedure serves as the main provider of trust, it is detrimental that they are implemented correctly. Implementation flaws in the verification components of a protocol stack can have severe security implications for the whole protocol.
In this thesis, we present X.509-Anvil, a testing framework for X.509 certificate chain verification programs that makes use of combinatorial testing to generate certificate chains automatically. An input parameter model (IPM) models the values of various certificate fields, features, and extensions, as well as the topology of the chain itself. The IPM further defines constraints to respect the semantic relationships between certain parameters. The combinatorial testing library coffee4j is then used to efficiently generate combinations of these parameter values. The concrete certificate chains are dynamically generated by constructing the corresponding ASN.1 structures. For this, the tools X.509-Attack and ASN.1-Tool are used. While X.509-Anvil is designed in a way that makes it easy to connect other kind of X.509 verifiers, we primarily focus on the verification of client certificate chains during TLS handshakes with client authentication. During the development of X.509-Anvil, we created a more general combinatorial testing framework Anvil-Core that consolidates the common functionality required for the development of domain-specific framework such as X.509-Anvil or TLS-Anvil.
To demonstrate X.509-Anvil’s capabilities, we evaluated the X.509 certificate chain verification components of ten open source TLS server implementations using our test suite consisting of over 170 test templates. We found various implementation flaws that violate the requirements specified in RFC 5280 .