diff options
author | Tomas Mraz <tmraz@fedoraproject.org> | 2020-04-02 15:56:12 +0200 |
---|---|---|
committer | Tomas Mraz <tmraz@fedoraproject.org> | 2020-04-06 10:28:18 +0200 |
commit | 00a0da2f021e6a0bc9519a6a9e5be66d45e6fc91 (patch) | |
tree | cd754ac686574cc6aff1778bcd0e1f78f4a3953d /crypto | |
parent | d251c4ecc11c19628fe86d82b4b4c47cfea97c17 (diff) |
Allow certificates with Basic Constraints CA:false, pathlen:0
Do not mark such certificates with EXFLAG_INVALID although they
violate the RFC 5280, they are syntactically correct and
openssl itself can produce such certificates without any errors
with command such as:
openssl x509 -req -signkey private.pem -in csr.pem -out cert.pem \
-extfile <(echo "basicConstraints=CA:FALSE,pathlen:0")
With the commit ba4356ae4002a04e28642da60c551877eea804f7 the
EXFLAG_INVALID causes openssl to not consider such certificate
even as leaf self-signed certificate which is breaking existing
installations.
Fixes: #11456
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11463)
(cherry picked from commit 428cf5ff83a48d0b51c97476586b2cbd053b6302)
Diffstat (limited to 'crypto')
-rw-r--r-- | crypto/x509v3/v3_purp.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c index 2bc8253d2d..2eaad1a763 100644 --- a/crypto/x509v3/v3_purp.c +++ b/crypto/x509v3/v3_purp.c @@ -384,12 +384,16 @@ static void x509v3_cache_extensions(X509 *x) if (bs->ca) x->ex_flags |= EXFLAG_CA; if (bs->pathlen) { - if ((bs->pathlen->type == V_ASN1_NEG_INTEGER) - || !bs->ca) { + if (bs->pathlen->type == V_ASN1_NEG_INTEGER) { x->ex_flags |= EXFLAG_INVALID; x->ex_pathlen = 0; - } else + } else { x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen); + if (!bs->ca && x->ex_pathlen != 0) { + x->ex_flags |= EXFLAG_INVALID; + x->ex_pathlen = 0; + } + } } else x->ex_pathlen = -1; BASIC_CONSTRAINTS_free(bs); |