diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-08-26 09:45:11 +0200 |
---|---|---|
committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-09-11 07:42:23 +0200 |
commit | d72c8b457b77c31a20cf66e9c92aa19a4b7b5884 (patch) | |
tree | 49e419f14bffd64b227b70eeb0021879e0768bd0 | |
parent | bb377c8d6c61920d889b961bd5c862eaac8b28e4 (diff) |
x509_vfy.c: Make sure that strict checks are not done for self-issued EE certs
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12478)
-rw-r--r-- | crypto/x509/x509_vfy.c | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index e8ca44a903..29a7f3ff52 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -520,7 +520,14 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) ret = 1; break; } - if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) != 0) { + /* + * Do the following set of checks only if strict checking is requrested + * and not for self-issued (including self-signed) EE (non-CA) certs + * because RFC 5280 does not apply to them according RFC 6818 section 2. + */ + if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) != 0 + && !(i == 0 && (x->ex_flags & EXFLAG_CA) == 0 + && (x->ex_flags & EXFLAG_SI) != 0)) { /* Check Basic Constraints according to RFC 5280 section 4.2.1.9 */ if (x->ex_pathlen != -1) { if ((x->ex_flags & EXFLAG_CA) == 0) @@ -528,15 +535,11 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) if ((x->ex_kusage & KU_KEY_CERT_SIGN) == 0) ctx->error = X509_V_ERR_PATHLEN_WITHOUT_KU_KEY_CERT_SIGN; } - /* - * Check Basic Constraints of CA cert are marked critical, - * TODO should be only if cert is intended for verifying other certs - */ if ((x->ex_flags & EXFLAG_CA) != 0 && (x->ex_flags & EXFLAG_BCONS) != 0 && (x->ex_flags & EXFLAG_BCONS_CRITICAL) == 0) ctx->error = X509_V_ERR_CA_BCONS_NOT_CRITICAL; - /* Check key usages according to RFC 5280 section 4.2.1.3 */ + /* Check Key Usage according to RFC 5280 section 4.2.1.3 */ if ((x->ex_flags & EXFLAG_CA) != 0) { if ((x->ex_flags & EXFLAG_KUSAGE) == 0) ctx->error = X509_V_ERR_CA_CERT_MISSING_KEY_USAGE; |