[openssl] OpenSSL_1_1_1-stable update

tmraz at fedoraproject.org tmraz at fedoraproject.org
Mon Apr 6 08:28:29 UTC 2020 

The branch OpenSSL_1_1_1-stable has been updated
       via  00a0da2f021e6a0bc9519a6a9e5be66d45e6fc91 (commit)
      from  d251c4ecc11c19628fe86d82b4b4c47cfea97c17 (commit)


- Log -----------------------------------------------------------------
commit 00a0da2f021e6a0bc9519a6a9e5be66d45e6fc91
Author: Tomas Mraz <tmraz at fedoraproject.org>
Date:   Thu Apr 2 15:56:12 2020 +0200

    Allow certificates with Basic Constraints CA:false, pathlen:0
    
    Do not mark such certificates with EXFLAG_INVALID although they
    violate the RFC 5280, they are syntactically correct and
    openssl itself can produce such certificates without any errors
    with command such as:
    
    openssl x509 -req -signkey private.pem -in csr.pem -out cert.pem \
      -extfile <(echo "basicConstraints=CA:FALSE,pathlen:0")
    
    With the commit ba4356ae4002a04e28642da60c551877eea804f7 the
    EXFLAG_INVALID causes openssl to not consider such certificate
    even as leaf self-signed certificate which is breaking existing
    installations.
    
    Fixes: #11456
    
    Reviewed-by: Bernd Edlinger <bernd.edlinger at hotmail.de>
    Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/11463)
    
    (cherry picked from commit 428cf5ff83a48d0b51c97476586b2cbd053b6302)

-----------------------------------------------------------------------

Summary of changes:
 crypto/x509v3/v3_purp.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index 2bc8253d2d..2eaad1a763 100644
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -384,12 +384,16 @@ static void x509v3_cache_extensions(X509 *x)
         if (bs->ca)
             x->ex_flags |= EXFLAG_CA;
         if (bs->pathlen) {
-            if ((bs->pathlen->type == V_ASN1_NEG_INTEGER)
-                || !bs->ca) {
+            if (bs->pathlen->type == V_ASN1_NEG_INTEGER) {
                 x->ex_flags |= EXFLAG_INVALID;
                 x->ex_pathlen = 0;
-            } else
+            } else {
                 x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen);
+                if (!bs->ca && x->ex_pathlen != 0) {
+                    x->ex_flags |= EXFLAG_INVALID;
+                    x->ex_pathlen = 0;
+                }
+            }
         } else
             x->ex_pathlen = -1;
         BASIC_CONSTRAINTS_free(bs);

More information about the openssl-commits mailing list