[openssl-users] openssl verify accepting CA certs issued by intermediate with CA:TRUE, pathlen:0

Viktor Dukhovni openssl-users at dukhovni.org
Thu Oct 4 15:54:49 UTC 2018

On Thu, Oct 04, 2018 at 02:07:55PM +0200, Peter Magnusson wrote:

> Modulus of evilca.pem begins with 00:cd:ba:9f and modulus of
> evilserver.pem begins with 00:af:83:6f, so they are different even if
> both have  Subject: C=SE, ST=EvilServer, L=EvilServer, O=EvilServer,
> OU=EvilServer, CN=EvilServer.

That's the difference between self-signed and self-issued.  The
root CA is self-signed.  Your previous EE cert would have been
self-issued, had it been a CA.  But it had CA:FALSE, which makes
it not self-issued per RFC5280, as that classification applies only
to CAs.

> Funnily enough I don't trigger the edge case on regenerated files with
> correct Subject information.

That's not "funnily enough", that's expected, if my analysis of the
problem is correct, i.e. the problem is that the existing code
treats even non-CA leaf certs as self-issued provided the subject
and issuer match.  This throws the path length constraint checks off
by 1 in just the case of "self-issued but for the CA bit" EE certs.

The proposed patch is intended to resolve that issue.  If my analysis
is correct (please test any more interesting combinations you can
come up with), then the patch should be merged into the existing
OpenSSL supported releases and perhaps also related OpenSSL forks
(either or both of LibreSSL or BoringSSL that have not changed the
code in question).


More information about the openssl-users mailing list