[openssl-users] openssl verify accepting CA certs issued by intermediate with CA:TRUE, pathlen:0

Peter Magnusson blaufish.public.email at gmail.com
Fri Oct 5 09:57:32 UTC 2018


Thanks, I provided some input regarding off by one calculation of plen
still present in the patch.

You are very much correct on the definition of self-issued; rfc5280,
"A certificate is self-issued if the same DN appears in the subject
and issuer fields (the two DNs are the same if they match according to
the rules specified in Section 7.1)." Effectively path length
constraint is useless for limiting impact of a temporary CA breach, as
attacker can just issue an intermediate authority with a DN that
matches the definition of self-issued. The feature simply doesn't
provide the functionality I presumed it was it core purpose of
providing. It was very lucky for me I messed up my DN's so I could
learn that, thank you *very* much for your input, that was very useful
to be aware of!

Best Regards
//P
On Fri, Oct 5, 2018 at 7:10 AM Viktor Dukhovni
<openssl-users at dukhovni.org> wrote:
>
>
>
> > On Oct 4, 2018, at 6:25 AM, Viktor Dukhovni <openssl-users at dukhovni.org> wrote:
> >
> > but this corner-case is not correct, the concept of "self-issued"
> > only applies to CAs, so for the leaf to be skipped it would have
> > the be a self-issued CA.  Try the patch below:
>
> I've simplified the patch in https://github.com/openssl/openssl/pull/7353
> please take a look.
>
> --
>         Viktor.
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


More information about the openssl-users mailing list