[openssl-users] openssl verify accepting CA certs issued by intermediate with CA:TRUE, pathlen:0

Peter Magnusson blaufish.public.email at gmail.com
Thu Oct 4 12:07:55 UTC 2018 

Your patch does seem to resolve the test case.

II have maximised confusion by generating a CSR with the same textual
information for EvilCA as EvilServer.

I don't think the chain includes any self signed certificates except the root;
73:40:2A:49:4B:AA:69:06:CF:45:F3:24:A6:B6:76:6A:10:97:74:D6 (root, self issued)
DC:99:4E:EE:8A:5C:75:D3:C7:5E:03:1E:73:57:F2:C4:C5:89:FD:70 issued by
73:40:2A:49:4B:AA:69:06:CF:45:F3:24:A6:B6:76:6A:10:97:74:D6.
17:49:AA:01:F6:25:85:23:3F:A6:7A:43:D3:97:2A:F8:74:27:89:A0 issued by
DC:99:4E:EE:8A:5C:75:D3:C7:5E:03:1E:73:57:F2:C4:C5:89:FD:70.
1F:95:2F:26:9D:E1:37:BD:1F:9C:B5:51:FC:28:9C:EA:9F:1E:C8:B6 issued by
17:49:AA:01:F6:25:85:23:3F:A6:7A:43:D3:97:2A:F8:74:27:89:A0.

Modulus of evilca.pem begins with 00:cd:ba:9f and modulus of
evilserver.pem begins with 00:af:83:6f, so they are different even if
both have  Subject: C=SE, ST=EvilServer, L=EvilServer, O=EvilServer,
OU=EvilServer, CN=EvilServer.

Funnily enough I don't trigger the edge case on regenerated files with
correct Subject information.

openssl x509 -text -in root.pem | egrep -a1 "X509v3 .* Key Identifier"
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                73:40:2A:49:4B:AA:69:06:CF:45:F3:24:A6:B6:76:6A:10:97:74:D6
--
--
                73:40:2A:49:4B:AA:69:06:CF:45:F3:24:A6:B6:76:6A:10:97:74:D6
            X509v3 Authority Key Identifier:

keyid:73:40:2A:49:4B:AA:69:06:CF:45:F3:24:A6:B6:76:6A:10:97:74:D6
openssl x509 -text -in intermediate.pem | egrep -a1 "X509v3 .* Key Identifier"
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                DC:99:4E:EE:8A:5C:75:D3:C7:5E:03:1E:73:57:F2:C4:C5:89:FD:70
--
--
                DC:99:4E:EE:8A:5C:75:D3:C7:5E:03:1E:73:57:F2:C4:C5:89:FD:70
            X509v3 Authority Key Identifier:

keyid:73:40:2A:49:4B:AA:69:06:CF:45:F3:24:A6:B6:76:6A:10:97:74:D6
openssl x509 -text -in evilca.pem | grep -a1 "X509v3 .* Key Identifier"
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                17:49:AA:01:F6:25:85:23:3F:A6:7A:43:D3:97:2A:F8:74:27:89:A0
--
--
                17:49:AA:01:F6:25:85:23:3F:A6:7A:43:D3:97:2A:F8:74:27:89:A0
            X509v3 Authority Key Identifier:

keyid:DC:99:4E:EE:8A:5C:75:D3:C7:5E:03:1E:73:57:F2:C4:C5:89:FD:70
openssl x509 -text -in evilserver.pem | egrep -a1 "X509v3 .* Key Identifier"
                TLS Web Server Authentication
            X509v3 Subject Key Identifier:
                1F:95:2F:26:9D:E1:37:BD:1F:9C:B5:51:FC:28:9C:EA:9F:1E:C8:B6
--
--
                1F:95:2F:26:9D:E1:37:BD:1F:9C:B5:51:FC:28:9C:EA:9F:1E:C8:B6
            X509v3 Authority Key Identifier:

keyid:17:49:AA:01:F6:25:85:23:3F:A6:7A:43:D3:97:2A:F8:74:27:89:A0
On Thu, Oct 4, 2018 at 12:26 PM Viktor Dukhovni
<openssl-users at dukhovni.org> wrote:
>
> On Wed, Oct 03, 2018 at 07:16:51PM +0200, Peter Magnusson wrote:
>
> > The following test case attempts to validates evilserver.pem, issued
> > by evilca.pem.
>
> More specifically, we see that in this test the leaf server certificate
> has the same subject and issuer, so EXFLAG_SI is set for that
> certificate, and it did not count in the path length:
>
>     $ /usr/local/bin/openssl verify -show_chain -verbose -trusted root.pem -untrusted untrusted.pem evilserver.pem
>     evilserver.pem: OK
>     Chain:
>     depth=0: C = SE, ST = EvilServer, L = EvilServer, O = EvilServer, OU = EvilServer, CN = EvilServer (untrusted)
>     depth=1: C = SE, ST = EvilServer, L = EvilServer, O = EvilServer, OU = EvilServer, CN = EvilServer (untrusted)
>     depth=2: C = SE, ST = Intermediate, O = Intermediate, OU = Intermediate, CN = Intermediate (untrusted)
>     depth=3: C = SE, ST = Root, L = Root, O = Root, OU = Root, CN = Root
>
> but this corner-case is not correct, the concept of "self-issued"
> only applies to CAs, so for the leaf to be skipped it would have
> the be a self-issued CA.  Try the patch below:
>
> --
>         Viktor.
>
> diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
> index 3a60d412da..77ca325d54 100644
> --- a/crypto/x509/x509_vfy.c
> +++ b/crypto/x509/x509_vfy.c
> @@ -445,6 +445,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
>      int i, must_be_ca, plen = 0;
>      X509 *x;
>      int proxy_path_length = 0;
> +    int is_ca;
>      int purpose;
>      int allow_proxy_certs;
>      int num = sk_X509_num(ctx->chain);
> @@ -484,7 +485,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
>                                  X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED))
>                  return 0;
>          }
> -        ret = X509_check_ca(x);
> +        ret = is_ca = X509_check_ca(x);
>          switch (must_be_ca) {
>          case -1:
>              if ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
> @@ -524,8 +525,8 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
>              if (!verify_cb_cert(ctx, x, i, X509_V_ERR_PATH_LENGTH_EXCEEDED))
>                  return 0;
>          }
> -        /* Increment path length if not self issued */
> -        if (!(x->ex_flags & EXFLAG_SI))
> +        /* Increment path length if not a self issued CA */
> +        if (!(is_ca && x->ex_flags & EXFLAG_SI))
>              plen++;
>          /*
>           * If this certificate is a proxy certificate, the next certificate
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

More information about the openssl-users mailing list