root
/
openssl
mirror of https://github.com/openssl/openssl.git
1
0
Fork 0
Code Issues Actions 7 Packages Projects Releases Wiki Activity

x509_vfy.c: Make sure that strict checks are not done for self-issued EE certs 

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12478)
This commit is contained in:
Dr. David von Oheimb 2020-08-26 09:45:11 +02:00
parent bb377c8d6c
commit d72c8b457b
1 changed files with 9 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
crypto/x509/x509_vfy.c
View File

@ -520,7 +520,14 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
ret = 1; ret = 1;
break; break;
} }
if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) != 0) { /*
* Do the following set of checks only if strict checking is requrested
* and not for self-issued (including self-signed) EE (non-CA) certs
* because RFC 5280 does not apply to them according RFC 6818 section 2.
*/
if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) != 0
&& !(i == 0 && (x->ex_flags & EXFLAG_CA) == 0
&& (x->ex_flags & EXFLAG_SI) != 0)) {
/* Check Basic Constraints according to RFC 5280 section 4.2.1.9 */ /* Check Basic Constraints according to RFC 5280 section 4.2.1.9 */
if (x->ex_pathlen != -1) { if (x->ex_pathlen != -1) {
if ((x->ex_flags & EXFLAG_CA) == 0) if ((x->ex_flags & EXFLAG_CA) == 0)
@ -528,15 +535,11 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
if ((x->ex_kusage & KU_KEY_CERT_SIGN) == 0) if ((x->ex_kusage & KU_KEY_CERT_SIGN) == 0)
ctx->error = X509_V_ERR_PATHLEN_WITHOUT_KU_KEY_CERT_SIGN; ctx->error = X509_V_ERR_PATHLEN_WITHOUT_KU_KEY_CERT_SIGN;
} }
/*
* Check Basic Constraints of CA cert are marked critical,
* TODO should be only if cert is intended for verifying other certs
*/
if ((x->ex_flags & EXFLAG_CA) != 0 if ((x->ex_flags & EXFLAG_CA) != 0
&& (x->ex_flags & EXFLAG_BCONS) != 0 && (x->ex_flags & EXFLAG_BCONS) != 0
&& (x->ex_flags & EXFLAG_BCONS_CRITICAL) == 0) && (x->ex_flags & EXFLAG_BCONS_CRITICAL) == 0)
ctx->error = X509_V_ERR_CA_BCONS_NOT_CRITICAL; ctx->error = X509_V_ERR_CA_BCONS_NOT_CRITICAL;
/* Check key usages according to RFC 5280 section 4.2.1.3 */ /* Check Key Usage according to RFC 5280 section 4.2.1.3 */
if ((x->ex_flags & EXFLAG_CA) != 0) { if ((x->ex_flags & EXFLAG_CA) != 0) {
if ((x->ex_flags & EXFLAG_KUSAGE) == 0) if ((x->ex_flags & EXFLAG_KUSAGE) == 0)
ctx->error = X509_V_ERR_CA_CERT_MISSING_KEY_USAGE; ctx->error = X509_V_ERR_CA_CERT_MISSING_KEY_USAGE;