From d72c8b457b77c31a20cf66e9c92aa19a4b7b5884 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Wed, 26 Aug 2020 09:45:11 +0200 Subject: x509_vfy.c: Make sure that strict checks are not done for self-issued EE certs Reviewed-by: Kurt Roeckx Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/12478) --- crypto/x509/x509_vfy.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index e8ca44a903..29a7f3ff52 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -520,7 +520,14 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) ret = 1; break; } - if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) != 0) { + /* + * Do the following set of checks only if strict checking is requrested + * and not for self-issued (including self-signed) EE (non-CA) certs + * because RFC 5280 does not apply to them according RFC 6818 section 2. + */ + if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) != 0 + && !(i == 0 && (x->ex_flags & EXFLAG_CA) == 0 + && (x->ex_flags & EXFLAG_SI) != 0)) { /* Check Basic Constraints according to RFC 5280 section 4.2.1.9 */ if (x->ex_pathlen != -1) { if ((x->ex_flags & EXFLAG_CA) == 0) @@ -528,15 +535,11 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) if ((x->ex_kusage & KU_KEY_CERT_SIGN) == 0) ctx->error = X509_V_ERR_PATHLEN_WITHOUT_KU_KEY_CERT_SIGN; } - /* - * Check Basic Constraints of CA cert are marked critical, - * TODO should be only if cert is intended for verifying other certs - */ if ((x->ex_flags & EXFLAG_CA) != 0 && (x->ex_flags & EXFLAG_BCONS) != 0 && (x->ex_flags & EXFLAG_BCONS_CRITICAL) == 0) ctx->error = X509_V_ERR_CA_BCONS_NOT_CRITICAL; - /* Check key usages according to RFC 5280 section 4.2.1.3 */ + /* Check Key Usage according to RFC 5280 section 4.2.1.3 */ if ((x->ex_flags & EXFLAG_CA) != 0) { if ((x->ex_flags & EXFLAG_KUSAGE) == 0) ctx->error = X509_V_ERR_CA_CERT_MISSING_KEY_USAGE; -- cgit v1.2.3