FW: X509_verify_cert() rejects all trusted certs with "default" X509_VERIFY_PARAM

Michael Wojcik Michael.Wojcik at microfocus.com
Fri May 28 20:50:00 UTC 2021 

Just realized I sent this directly to Graham instead of to the list.

-----Original Message-----
From: Michael Wojcik
Sent: Friday, 28 May, 2021 09:37
To: 'Graham Leggett' <minfrin at sharp.fm>
Subject: RE: X509_verify_cert() rejects all trusted certs with "default" X509_VERIFY_PARAM

> From: openssl-users <openssl-users-bounces at openssl.org> On Behalf Of Graham
> Leggett via openssl-users
> Sent: Friday, 28 May, 2021 06:30
>
> I am lost - I can fully understand what the code is doing, but I can’t see
> why openssl only trusts certs with “anyExtendedKeyUsage”.

Interesting. I wondered if this might be enforcing some RFC 5280 or CA / Browser Forum Baseline Requirements rule.

5280 4.2.1.12 says:

   In general, this
   extension will appear only in end entity certificates.

and

   If the extension is present, then the certificate MUST only be used
   for one of the purposes indicated.

Your certificate has serverAuth and emailProtection, yes? So it cannot be used to sign other certificates, and OpenSSL is correct as far as that goes. 5280 doesn't define an EKU for signing certificates; so perhaps the intent of the OpenSSL code is "if EKU is present, this probably can't be used as a CA cert without violating 5280, but I'll look for this 'any' usage just in case and allow that".

The errata for 5280 and the RFCs which update it do not appear to affect this section.


The CA/BF BR 7.1.2.1, the part of the certificate profile that covers root certificates, says:

   d. extKeyUsage
      This extension MUST NOT be present.

Now, there's no particular reason for OpenSSL to enforce CA/BF BR, and good reason for it not to (the "CA" part refers to commercial CAs, and not all clients are browsers). But it's more evidence that root certificates, at least, should not have extKeyUsage because browsers can correctly reject those.

The CA/BF profile is more complicated regarding what it calls "subordinate" certificates, aka intermediates, so for non-root trust anchors there are cases where you can get away with extKeyUsage. But a good rule is "only put extKeyUsage on entity [leaf] certificates".


So that really leaves us with the question "do we want OpenSSL enforcing the extKeyUsage rules of RFC 5280?". And I'm tempted to say yes. In principle, the basicConstraints CA flag and the keyUsage keyCertSign option should suffice for this, but defense in depth, and in cryptographic protocols consistency is extremely important.

--
Michael Wojcik

More information about the openssl-users mailing list