web-security 2021-12-27 | Slack Archive

MatthewLisp14:12:58

Hello everyone 👋 I have a specific question about the Java Keystore. Considering this scenario: • I'm using a custom Keystore managed by myself • I've added a certificate chain to it from a specific website/server The question is: What happens when the leaf cert is changed? (Not expired, changed), but the intermediate and root certificates are still valid? Does the implementation uses the intermediate and root certificates as fallbacks? Or the connection is entirely invalidated? I'm trying to do some blackbox testing, find the implementation, googling, etc, but i figured someone might already know the answer here! Thanks

Dave Russell10:12:44

I can't speak for how resolution works in a Keystore, but typically a PKI cert chain exists for the sake of deriving trust in an otherwise unknown certificate -- but you still need the cert itself to verify signatures. So if the leaf cert changes, and you don't have the new cert, signatures signed by it will fail verification. Put another way -- imagine if it did "fall back", it would mean that a payload signed by Alice (a leaf cert) could be verified using Bob's cert (another leaf) -- which sort of forfeits the point of signatures 🙂

👍 1

2021-12-27

Channels