<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:70.85pt 70.85pt 56.7pt 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal>Hi Andrew,<o:p></o:p></p><p class=MsoNormal>Can you provide the actual subject DNs for each certificate? RFC 5280 specifies that self-issued certificates (i.e., issuer DN == subject DN) are not considered in the pathLen calculation, so knowing whether these certificates are self-issued or not may be helpful in better diagnosing the issue.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thanks,<o:p></o:p></p><p class=MsoNormal>Corey<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> openssl-users <openssl-users-bounces@openssl.org> <b>On Behalf Of </b>Andrew Lynch via openssl-users<br><b>Sent:</b> Friday, September 16, 2022 4:32 AM<br><b>To:</b> openssl-users@openssl.org<br><b>Subject:</b> AW: [EXTERNAL] Stricter pathlen checks in OpenSSL 1.1.1 compared to 1.0.2?.<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>So is this a possible bug or a feature of OpenSSL 1.1.1? (using 1.1.1n right now)<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>If I set up the content of CAfile or CApath so that E <- D <- C <- A is the only path that can be taken then the validation fails with<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>error 25 at 3 depth lookup: path length constraint exceeded<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>If I create the first root certificate (A) with pathlen:2 instead of pathlen:1 then validation succeeds<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>user1_cert.pem: OK<o:p></o:p></p><p class=MsoNormal>Chain:<o:p></o:p></p><p class=MsoNormal>depth=0: C = DE, O = Test Org, CN = Test User (untrusted) E<o:p></o:p></p><p class=MsoNormal>depth=1: C = DE, O = Test Org, CN = Test Sub-CA D<o:p></o:p></p><p class=MsoNormal>depth=2: C = DE, O = Test Org, CN = Test Root 2-CA C<o:p></o:p></p><p class=MsoNormal>depth=3: C = DE, O = Test Org, CN = Test Root 1-CA A<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>So it appears to me that OpenSSL 1.1.1n is definitely taking the pathlen constraint of certificate A into account.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Andrew.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span lang=DE>Von:</span></b><span lang=DE> Erwann Abalea <<a href="mailto:erwann.abalea@docusign.com">erwann.abalea@docusign.com</a>> <br><b>Gesendet:</b> Donnerstag, 15. September 2022 19:51<br><b>An:</b> Andrew Lynch <<a href="mailto:andrew.lynch@atos.net">andrew.lynch@atos.net</a>><br><b>Cc:</b> <a href="mailto:openssl-users@openssl.org">openssl-users@openssl.org</a><br><b>Betreff:</b> Re: [EXTERNAL] Stricter pathlen checks in OpenSSL 1.1.1 compared to 1.0.2?.<o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=DE><o:p> </o:p></span></p><div><div><p class=MsoNormal>Assuming that all self-signed certificates are trusted (here, A and B), then providing a CAfile with D+C+B+A to validate E, the different possible paths are: <o:p></o:p></p><div><p class=MsoNormal> <span lang=DE>- E <- D <- B: this path is valid<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=DE> - E <- D <- C <- A: this path is valid<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=DE><o:p> </o:p></span></p></div><div><p class=MsoNormal><span lang=DE>In the validation algorithm described in RFC5280 and X.509, the pathlenConstraints contained in the certificate of the Trust Anchor (here, A or B) is not taken into account. Therefore, the only ones that matter are the values set in C and D, and these values are coherent with both chains.<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=DE><o:p> </o:p></span></p></div></div><p class=MsoNormal><span lang=DE><o:p> </o:p></span></p><div><div><p class=MsoNormal><span lang=DE>On Thu, Sep 15, 2022 at 7:34 PM Andrew Lynch via openssl-users <<a href="mailto:openssl-users@openssl.org">openssl-users@openssl.org</a>> wrote:<o:p></o:p></span></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=DE>Hi,<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=DE> <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I would like to have my understanding of the following issue confirmed:<span lang=DE><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <span lang=DE><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Given a two-level CA where the different generations of Root cross-sign each other, the verification of an end-entity certificate fails with OpenSSL 1.1.1 – “path length constraint exceeded”. With OpenSSL 1.0.2 the same verify succeeds.<span lang=DE><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <span lang=DE><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>All Root CA certificates have Basic Constraints CA:TRUE, pathlen:1. The Sub CA certificate has pathlen:0.<span lang=DE><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <span lang=DE><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>A) Issuer: CN=Root CA, serialNumber=1<span lang=DE><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> Subject: CN=Root CA, serialNumber=1<span lang=DE><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <span lang=DE><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>B) Issuer: CN=Root CA, serialNumber=2<span lang=DE><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> Subject: CN=Root CA, serialNumber=2<span lang=DE><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <span lang=DE><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>C) Issuer: CN=Root CA, serialNumber=1<span lang=DE><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> Subject: CN=Root CA, serialNumber=2<span lang=DE><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <span lang=DE><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>D) Issuer: CN=Root CA, serialNumber=2<span lang=DE><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> Subject: CN=Sub CA, serialNumber=2<span lang=DE><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <span lang=DE><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>E) Issuer: CN=Sub CA, serialNumber=2<span lang=DE><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> Subject: Some end entity<span lang=DE><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <span lang=DE><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>With a CAfile containing D, C, B, A in that order the verify of E fails. If I remove the cross certificate C then the verify succeeds.<span lang=DE><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <span lang=DE><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I believe OpenSSL 1.1.1 is building a chain of depth 3 (D – C – A) and so pathlen:1 of A is violated. Without the cross certificate the chain is only depth 2 (D – B).<span lang=DE><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <span lang=DE><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Is my understanding of the reason for this failure correct?<span lang=DE><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Why is OpenSSL 1.0.2 verifying successfully? Does it not check the path length constraint or is it actually picking the depth 2 chain instead of the depth 3?<span lang=DE><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <span lang=DE><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Regards,<span lang=DE><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Andrew.<span lang=DE><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <span lang=DE><o:p></o:p></span></p></div></div></div></blockquote></div><p class=MsoNormal><span lang=DE><br clear=all><o:p></o:p></span></p><div><p class=MsoNormal><span lang=DE><o:p> </o:p></span></p></div><p class=MsoNormal><span lang=DE>-- <o:p></o:p></span></p><div><div><p class=MsoNormal><span lang=DE>Cordialement, <o:p></o:p></span></p><div><p class=MsoNormal><span lang=DE>Erwann Abalea.<o:p></o:p></span></p></div></div></div></div></div></body></html>