[openssl-commits] [openssl] master update

Viktor Dukhovni viktor at openssl.org
Wed Mar 30 00:58:06 UTC 2016


The branch master has been updated
       via  4d9e33acb23472566ba0ae15d63c5562a0abf7a2 (commit)
      from  222e620baf5a55b251e716df955ce0db53c48b3b (commit)


- Log -----------------------------------------------------------------
commit 4d9e33acb23472566ba0ae15d63c5562a0abf7a2
Author: Viktor Dukhovni <openssl-users at dukhovni.org>
Date:   Tue Mar 29 19:40:03 2016 -0400

    Require intermediate CAs to have basicConstraints CA:true.
    
    Previously, it was sufficient to have certSign in keyUsage when the
    basicConstraints extension was missing.  That is still accepted in
    a trust anchor, but is no longer accepted in an intermediate CA.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 crypto/x509/x509_vfy.c        |  3 ++-
 test/certs/ca-nonbc.pem       | 18 ++++++++++++++++++
 test/certs/mkcert.sh          | 21 +++++++++++++++++++++
 test/certs/setup.sh           |  1 +
 test/recipes/25-test_verify.t |  8 ++++++--
 5 files changed, 48 insertions(+), 3 deletions(-)
 create mode 100644 test/certs/ca-nonbc.pem

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index afd8299..ffa211b 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -484,8 +484,9 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
                 ret = 1;
             break;
         default:
+            /* X509_V_FLAG_X509_STRICT is implicit for intermediate CAs */
             if ((ret == 0)
-                || ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
+                || ((i + 1 < num || ctx->param->flags & X509_V_FLAG_X509_STRICT)
                     && (ret != 1))) {
                 ret = 0;
                 ctx->error = X509_V_ERR_INVALID_CA;
diff --git a/test/certs/ca-nonbc.pem b/test/certs/ca-nonbc.pem
new file mode 100644
index 0000000..013775b
--- /dev/null
+++ b/test/certs/ca-nonbc.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6zCCAdOgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
+IENBMCAXDTE2MDMzMDAwMDE1N1oYDzIxMTYwMzMxMDAwMTU3WjANMQswCQYDVQQD
+DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd
+j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz
+n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W
+l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l
+YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc
+ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9
+CLNNsUcCAwEAAaNPME0wHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G
+A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAsGA1UdDwQEAwIBBjANBgkq
+hkiG9w0BAQsFAAOCAQEAPo7bKKFLbwT3x7dw+OPZMDxwyG1pk5x+5SD7iv45mOzS
+5lZ2ByaOH+jnjTfG6beNmTCbfq6RcHqTvD6LXYex5z9KliIL9Fpwh507uGDXmKDN
+lM0zmbYhXiWGRwP5NkbB/EppbiSk42l5/ky4gmCH/a9kQfiBW+Gwe3aBwRX6v+5p
+BLwH12YrM46DdEL4RHd2H/9rjSaX4X3aaZd9kZsf/yaOU65iQX15cNDfxkKncYQK
+K+xjT2S/NLcwslkPzQLCWeWZVBV4Vd+TEjjZA1tFpu5e1oNlJYvGbqjIuUurpoxv
+IhsVUfWJEf7KjpFy+kgPyijNYRUBFrMspdb6x771RQ==
+-----END CERTIFICATE-----
diff --git a/test/certs/mkcert.sh b/test/certs/mkcert.sh
index 7b892d2..99e7d2a 100755
--- a/test/certs/mkcert.sh
+++ b/test/certs/mkcert.sh
@@ -114,6 +114,27 @@ genca() {
 	    -set_serial 2 -days "${DAYS}"
 }
 
+gen_nonbc_ca() {
+    local cn=$1; shift
+    local key=$1; shift
+    local cert=$1; shift
+    local cakey=$1; shift
+    local cacert=$1; shift
+    local skid="subjectKeyIdentifier = hash"
+    local akid="authorityKeyIdentifier = keyid"
+
+    exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid")
+    exts=$(printf "%s\nkeyUsage = %s\n" "$exts" "keyCertSign, cRLSign")
+    for eku in "$@"
+    do
+        exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku")
+    done
+    csr=$(req "$key" "$cn") || return 1
+    echo "$csr" |
+        cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \
+	    -set_serial 2 -days "${DAYS}"
+}
+
 genee() {
     local OPTIND=1
     local purpose=serverAuth
diff --git a/test/certs/setup.sh b/test/certs/setup.sh
index 8cf27ee..9606c77 100755
--- a/test/certs/setup.sh
+++ b/test/certs/setup.sh
@@ -74,6 +74,7 @@ openssl x509 -in sroot-cert.pem -trustout \
 #
 ./mkcert.sh genca "CA" ca-key ca-cert root-key root-cert
 ./mkcert.sh genee "CA" ca-key ca-nonca root-key root-cert
+./mkcert.sh gen_nonbc_ca "CA" ca-key ca-nonbc root-key root-cert
 ./mkcert.sh genca "CA" ca-key2 ca-cert2 root-key root-cert
 ./mkcert.sh genca "CA2" ca-key ca-name2 root-key root-cert
 ./mkcert.sh genca "CA" ca-key ca-root2 root-key2 root-cert2
diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
index c1d222b..d4131cc 100644
--- a/test/recipes/25-test_verify.t
+++ b/test/recipes/25-test_verify.t
@@ -19,7 +19,7 @@ sub verify {
     run(app([@args]));
 }
 
-plan tests => 81;
+plan tests => 83;
 
 # Canonical success
 ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
@@ -104,8 +104,12 @@ ok(!verify("ee-cert", "sslserver", [qw(root-cert root2+clientAuth ca-root2)],
 # CA variants
 ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-nonca)]),
    "fail non-CA untrusted intermediate");
+ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-nonbc)]),
+   "fail non-CA untrusted intermediate");
 ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-nonca)], []),
-   "fail non-CA trusted intermediate");
+   "fail non-CA trust-store intermediate");
+ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-nonbc)], []),
+   "fail non-CA trust-store intermediate");
 ok(!verify("ee-cert", "sslserver", [qw(root-cert nca+serverAuth)], []),
    "fail non-CA server trust intermediate");
 ok(!verify("ee-cert", "sslserver", [qw(root-cert nca+anyEKU)], []),


More information about the openssl-commits mailing list