[openssl] master update
tmraz at fedoraproject.org
tmraz at fedoraproject.org
Mon Apr 6 08:27:08 UTC 2020
The branch master has been updated
via 3cb55fe47c3398b81956e4fe20c4004524d47519 (commit)
via fa86e2ee3533bb7fa9f3c62c38920cf960e9fec0 (commit)
via 428cf5ff83a48d0b51c97476586b2cbd053b6302 (commit)
from a056ee28ed0971be2e29b49c3357a4065c98e51d (commit)
- Log -----------------------------------------------------------------
commit 3cb55fe47c3398b81956e4fe20c4004524d47519
Author: Tomas Mraz <tmraz at fedoraproject.org>
Date: Fri Apr 3 10:24:40 2020 +0200
Add test cases for the non CA certificate with pathlen:0
Accept verification without -x509_strict and reject it with it.
Reviewed-by: Bernd Edlinger <bernd.edlinger at hotmail.de>
Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11463)
commit fa86e2ee3533bb7fa9f3c62c38920cf960e9fec0
Author: Tomas Mraz <tmraz at fedoraproject.org>
Date: Thu Apr 2 17:31:21 2020 +0200
Set X509_V_ERR_INVALID_EXTENSION error for invalid basic constraints
If we encounter certificate with basic constraints CA:false,
pathlen present and X509_V_FLAG_X509_STRICT is set we set
X509_V_ERR_INVALID_EXTENSION error.
Reviewed-by: Bernd Edlinger <bernd.edlinger at hotmail.de>
Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11463)
commit 428cf5ff83a48d0b51c97476586b2cbd053b6302
Author: Tomas Mraz <tmraz at fedoraproject.org>
Date: Thu Apr 2 15:56:12 2020 +0200
Allow certificates with Basic Constraints CA:false, pathlen:0
Do not mark such certificates with EXFLAG_INVALID although they
violate the RFC 5280, they are syntactically correct and
openssl itself can produce such certificates without any errors
with command such as:
openssl x509 -req -signkey private.pem -in csr.pem -out cert.pem \
-extfile <(echo "basicConstraints=CA:FALSE,pathlen:0")
With the commit ba4356ae4002a04e28642da60c551877eea804f7 the
EXFLAG_INVALID causes openssl to not consider such certificate
even as leaf self-signed certificate which is breaking existing
installations.
Fixes: #11456
Reviewed-by: Bernd Edlinger <bernd.edlinger at hotmail.de>
Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11463)
-----------------------------------------------------------------------
Summary of changes:
crypto/x509/v3_purp.c | 10 +++++++---
crypto/x509/x509_vfy.c | 6 ++++++
test/certs/ee-pathlen.pem | 17 +++++++++++++++++
test/certs/setup.sh | 4 +++-
test/recipes/25-test_verify.t | 6 +++++-
5 files changed, 38 insertions(+), 5 deletions(-)
create mode 100644 test/certs/ee-pathlen.pem
diff --git a/crypto/x509/v3_purp.c b/crypto/x509/v3_purp.c
index 0d02090330..bb60276d94 100644
--- a/crypto/x509/v3_purp.c
+++ b/crypto/x509/v3_purp.c
@@ -385,12 +385,16 @@ int X509v3_cache_extensions(X509 *x, OPENSSL_CTX *libctx, const char *propq)
if (bs->ca)
x->ex_flags |= EXFLAG_CA;
if (bs->pathlen) {
- if ((bs->pathlen->type == V_ASN1_NEG_INTEGER)
- || !bs->ca) {
+ if (bs->pathlen->type == V_ASN1_NEG_INTEGER) {
x->ex_flags |= EXFLAG_INVALID;
x->ex_pathlen = 0;
- } else
+ } else {
x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen);
+ if (!bs->ca && x->ex_pathlen != 0) {
+ x->ex_flags |= EXFLAG_INVALID;
+ x->ex_pathlen = 0;
+ }
+ }
} else
x->ex_pathlen = -1;
BASIC_CONSTRAINTS_free(bs);
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index b338b63531..510b4f1109 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -509,6 +509,12 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
ret = 1;
break;
}
+ if ((x->ex_flags & EXFLAG_CA) == 0
+ && x->ex_pathlen != -1
+ && (ctx->param->flags & X509_V_FLAG_X509_STRICT)) {
+ ctx->error = X509_V_ERR_INVALID_EXTENSION;
+ ret = 0;
+ }
if (ret == 0 && !verify_cb_cert(ctx, x, i, X509_V_OK))
return 0;
/* check_purpose() makes the callback as needed */
diff --git a/test/certs/ee-pathlen.pem b/test/certs/ee-pathlen.pem
new file mode 100644
index 0000000000..0bcae1d7bd
--- /dev/null
+++ b/test/certs/ee-pathlen.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICszCCAZugAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg
+Fw0yMDA0MDMwODA0MTVaGA8yMTIwMDQwNDA4MDQxNVowGTEXMBUGA1UEAwwOc2Vy
+dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY
+YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT
+5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l
+Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1
+U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5
+ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn
+iIQPYf55NB9KiR+3AgMBAAGjEDAOMAwGA1UdEwQFMAMCAQAwDQYJKoZIhvcNAQEL
+BQADggEBAApOUnWWd09I0ts3xa1oK7eakc+fKTF4d7pbGznFNONaCR3KFRgnBVlG
+Bm8/oehrrQ28Ad3XPSug34DQQ5kM6JIuaddx50/n4Xkgj8/fgXVA0HXizOJ3QpKC
+IojLVajXlQHhpo72VUQuNOha0UxG9daYjS20iXRhanTm9rUz7qQZEugVQCiR0z/f
+9NgM7FU9UaSidzH3gZu/Ufc4Ggn6nZV7LM9sf4IUV+KszS1VpcK+9phAmsB6BaAi
+cFXvVXZjTNualQgPyPwOD8c+vVCIfIemfF5TZ6fyqpOjprWQAphwrTtfNDSmqRTz
+FRhDf+vJERQclgUtg37EgWGKtnNQeRY=
+-----END CERTIFICATE-----
diff --git a/test/certs/setup.sh b/test/certs/setup.sh
index d58d0d789b..f4f3e046f0 100755
--- a/test/certs/setup.sh
+++ b/test/certs/setup.sh
@@ -154,7 +154,7 @@ openssl x509 -in sca-cert.pem -trustout \
-addtrust anyExtendedKeyUsage -out sca+anyEKU.pem
# Primary leaf cert: ee-cert
-# ee variants: expired, issuer-key2, issuer-name2
+# ee variants: expired, issuer-key2, issuer-name2, bad-pathlen
# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth
# purpose variants: client
#
@@ -163,6 +163,8 @@ openssl x509 -in sca-cert.pem -trustout \
./mkcert.sh genee server.example ee-key ee-cert2 ca-key2 ca-cert2
./mkcert.sh genee server.example ee-key ee-name2 ca-key ca-name2
./mkcert.sh genee -p clientAuth server.example ee-key ee-client ca-key ca-cert
+./mkcert.sh genee server.example ee-key ee-pathlen ca-key ca-cert \
+ -extfile <(echo "basicConstraints=CA:FALSE,pathlen:0")
#
openssl x509 -in ee-cert.pem -trustout \
-addtrust serverAuth -out ee+serverAuth.pem
diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
index c0de243708..3df2b5c370 100644
--- a/test/recipes/25-test_verify.t
+++ b/test/recipes/25-test_verify.t
@@ -27,7 +27,7 @@ sub verify {
run(app([@args]));
}
-plan tests => 137;
+plan tests => 139;
# Canonical success
ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
@@ -222,6 +222,10 @@ ok(verify("ee-client", "sslclient", [qw(ee+clientAuth)], [], "-partial_chain"),
"accept direct match with client trust");
ok(!verify("ee-client", "sslclient", [qw(ee-clientAuth)], [], "-partial_chain"),
"reject direct match with client mistrust");
+ok(verify("ee-pathlen", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
+ "accept non-ca with pathlen:0 by default");
+ok(!verify("ee-pathlen", "sslserver", [qw(root-cert)], [qw(ca-cert)], "-x509_strict"),
+ "reject non-ca with pathlen:0 with strict flag");
# Proxy certificates
ok(!verify("pc1-cert", "sslclient", [qw(root-cert)], [qw(ee-client ca-cert)]),
More information about the openssl-commits
mailing list