[EXTERNAL] Stricter pathlen checks in OpenSSL 1.1.1 compared to 1.0.2?.

Erwann Abalea erwann.abalea at docusign.com
Thu Sep 15 17:51:22 UTC 2022 

Assuming that all self-signed certificates are trusted (here, A and B),
then providing a CAfile with D+C+B+A to validate E, the different possible
paths are:
 - E <- D <- B: this path is valid
 - E <- D <- C <- A: this path is valid

In the validation algorithm described in RFC5280 and X.509, the
pathlenConstraints contained in the certificate of the Trust Anchor (here,
A or B) is not taken into account. Therefore, the only ones that matter are
the values set in C and D, and these values are coherent with both chains.


On Thu, Sep 15, 2022 at 7:34 PM Andrew Lynch via openssl-users <
openssl-users at openssl.org> wrote:

> Hi,
>
>
>
> I would like to have my understanding of the following issue confirmed:
>
>
>
> Given a two-level CA where the different generations of Root cross-sign
> each other, the verification of an end-entity certificate fails with
> OpenSSL 1.1.1 – “path length constraint exceeded”.  With OpenSSL 1.0.2 the
> same verify succeeds.
>
>
>
> All Root CA certificates have Basic Constraints CA:TRUE, pathlen:1.  The
> Sub CA certificate has pathlen:0.
>
>
>
> A) Issuer: CN=Root CA, serialNumber=1
>
>    Subject: CN=Root CA, serialNumber=1
>
>
>
> B) Issuer: CN=Root CA, serialNumber=2
>
>    Subject: CN=Root CA, serialNumber=2
>
>
>
> C) Issuer: CN=Root CA, serialNumber=1
>
>    Subject: CN=Root CA, serialNumber=2
>
>
>
> D) Issuer: CN=Root CA, serialNumber=2
>
>    Subject: CN=Sub CA, serialNumber=2
>
>
>
> E) Issuer: CN=Sub CA, serialNumber=2
>
>    Subject: Some end entity
>
>
>
> With a CAfile containing D, C, B, A in that order the verify of E fails.
> If I remove the cross certificate C then the verify succeeds.
>
>
>
> I believe OpenSSL 1.1.1 is building a chain of depth 3 (D – C – A) and so
> pathlen:1 of A is violated.  Without the cross certificate the chain is
> only depth 2 (D – B).
>
>
>
> Is my understanding of the reason for this failure correct?
>
> Why is OpenSSL 1.0.2 verifying successfully?  Does it not check the path
> length constraint or is it actually picking the depth 2 chain instead of
> the depth 3?
>
>
>
> Regards,
>
> Andrew.
>
>
>


-- 
Cordialement,
Erwann Abalea.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20220915/52bf4d97/attachment.htm>

More information about the openssl-users mailing list