x509_vfy.c: Make sure that strict checks are not done for self-issued EE certs

Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12478)
author: Dr. David von Oheimb <David.von.Oheimb@siemens.com> 2020-08-26 09:45:11 +0200
committer: Dr. David von Oheimb <David.von.Oheimb@siemens.com> 2020-09-11 07:42:23 +0200
commit: d72c8b457b77c31a20cf66e9c92aa19a4b7b5884 (patch)
tree: 49e419f14bffd64b227b70eeb0021879e0768bd0 /crypto/x509/x509_vfy.c
parent: bb377c8d6c61920d889b961bd5c862eaac8b28e4 (diff)
1 files changed, 9 insertions, 6 deletions
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index e8ca44a903..29a7f3ff52 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -520,7 +520,14 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
                 ret = 1;
             break;
         }
-        if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) != 0) {
+        /*
+         * Do the following set of checks only if strict checking is requrested
+         * and not for self-issued (including self-signed) EE (non-CA) certs
+         * because RFC 5280 does not apply to them according RFC 6818 section 2.
+         */
+        if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) != 0
+            && !(i == 0 && (x->ex_flags & EXFLAG_CA) == 0
+                 && (x->ex_flags & EXFLAG_SI) != 0)) {
             /* Check Basic Constraints according to RFC 5280 section 4.2.1.9 */
             if (x->ex_pathlen != -1) {
                 if ((x->ex_flags & EXFLAG_CA) == 0)
@@ -528,15 +535,11 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
                 if ((x->ex_kusage & KU_KEY_CERT_SIGN) == 0)
                     ctx->error = X509_V_ERR_PATHLEN_WITHOUT_KU_KEY_CERT_SIGN;
             }
-            /*
-             * Check Basic Constraints of CA cert are marked critical,
-             * TODO should be only if cert is intended for verifying other certs
-             */
             if ((x->ex_flags & EXFLAG_CA) != 0
                     && (x->ex_flags & EXFLAG_BCONS) != 0
                     && (x->ex_flags & EXFLAG_BCONS_CRITICAL) == 0)
                 ctx->error = X509_V_ERR_CA_BCONS_NOT_CRITICAL;
-            /* Check key usages according to RFC 5280 section 4.2.1.3 */
+            /* Check Key Usage according to RFC 5280 section 4.2.1.3 */
             if ((x->ex_flags & EXFLAG_CA) != 0) {
                 if ((x->ex_flags & EXFLAG_KUSAGE) == 0)
                     ctx->error = X509_V_ERR_CA_CERT_MISSING_KEY_USAGE;
author	Dr. David von Oheimb <David.von.Oheimb@siemens.com>	2020-08-26 09:45:11 +0200
committer	Dr. David von Oheimb <David.von.Oheimb@siemens.com>	2020-09-11 07:42:23 +0200
commit	d72c8b457b77c31a20cf66e9c92aa19a4b7b5884 (patch)
tree	49e419f14bffd64b227b70eeb0021879e0768bd0 /crypto/x509/x509_vfy.c
parent	bb377c8d6c61920d889b961bd5c862eaac8b28e4 (diff)