[openssl-users] openssl verify accepting CA certs issued by intermediate with CA:TRUE, pathlen:0

Viktor Dukhovni openssl-users at dukhovni.org
Wed Oct 3 14:51:01 UTC 2018

On Wed, Oct 03, 2018 at 02:51:57PM +0200, Peter Magnusson wrote:

> $ openssl verify -verbose -CAfile root.pem -untrusted intermediate.pem evil.pem
> evil.pem: OK

This is expected to work when intermediate.pem has pathlen 0, because
you're verifying "evil.pem" as a *leaf* certificate, its CA:true
is irrelevant when it is the last (leaf) certificate in the chain.

An actually unexpected result would be:

    $ openssl verify -verbose -CAfile root.pem -untrusted intermediate.pem -untrusted evil.pem badee.pem
    badee.pem: OK

where badee.pem is signed by evil.pem.  The path length constraint
is not a constraint against issuing EE certs with CA:true, it only
constraints the number additional intermediate (non-self-issued)
CAs in a valid path.  In your example that number is zero.


   The pathLenConstraint field is meaningful only if the cA boolean is
   asserted and the key usage extension, if present, asserts the
   keyCertSign bit (Section  In this case, it gives the
   maximum number of non-self-issued intermediate certificates that may
   follow this certificate in a valid certification path.


More information about the openssl-users mailing list