Your patch does seem to resolve the test case.
II have maximised confusion by generating a CSR with the same textual
information for EvilCA as EvilServer.
I don't think the chain includes any self signed certificates except the root;
73:40:2A:49:4B:AA:69:06:CF:45:F3:24:A6:B6:76:6A:10:97:74:D6 (root, self issued)
DC:99:4E:EE:8A:5C:75:D3:C7:5E:03:1E:73:57:F2:C4:C5:89:FD:70 issued by
73:40:2A:49:4B:AA:69:06:CF:45:F3:24:A6:B6:76:6A:10:97:74:D6.
17:49:AA:01:F6:25:85:23:3F:A6:7A:43:D3:97:2A:F8:74:27:89:A0 issued by
DC:99:4E:EE:8A:5C:75:D3:C7:5E:03:1E:73:57:F2:C4:C5:89:FD:70.
1F:95:2F:26:9D:E1:37:BD:1F:9C:B5:51:FC:28:9C:EA:9F:1E:C8:B6 issued by
17:49:AA:01:F6:25:85:23:3F:A6:7A:43:D3:97:2A:F8:74:27:89:A0.
Modulus of evilca.pem begins with 00:cd:ba:9f and modulus of
evilserver.pem begins with 00:af:83:6f, so they are different even if
both have Subject: C=SE, ST=EvilServer, L=EvilServer, O=EvilServer,
OU=EvilServer, CN=EvilServer.
Funnily enough I don't trigger the edge case on regenerated files with
correct Subject information.
openssl x509 -text -in root.pem | egrep -a1 "X509v3 .* Key Identifier"
X509v3 extensions:
X509v3 Subject Key Identifier:
73:40:2A:49:4B:AA:69:06:CF:45:F3:24:A6:B6:76:6A:10:97:74:D6
--
--
73:40:2A:49:4B:AA:69:06:CF:45:F3:24:A6:B6:76:6A:10:97:74:D6
X509v3 Authority Key Identifier:
keyid:73:40:2A:49:4B:AA:69:06:CF:45:F3:24:A6:B6:76:6A:10:97:74:D6
openssl x509 -text -in intermediate.pem | egrep -a1 "X509v3 .* Key Identifier"
X509v3 extensions:
X509v3 Subject Key Identifier:
DC:99:4E:EE:8A:5C:75:D3:C7:5E:03:1E:73:57:F2:C4:C5:89:FD:70
--
--
DC:99:4E:EE:8A:5C:75:D3:C7:5E:03:1E:73:57:F2:C4:C5:89:FD:70
X509v3 Authority Key Identifier:
keyid:73:40:2A:49:4B:AA:69:06:CF:45:F3:24:A6:B6:76:6A:10:97:74:D6
openssl x509 -text -in evilca.pem | grep -a1 "X509v3 .* Key Identifier"
X509v3 extensions:
X509v3 Subject Key Identifier:
17:49:AA:01:F6:25:85:23:3F:A6:7A:43:D3:97:2A:F8:74:27:89:A0
--
--
17:49:AA:01:F6:25:85:23:3F:A6:7A:43:D3:97:2A:F8:74:27:89:A0
X509v3 Authority Key Identifier:
keyid:DC:99:4E:EE:8A:5C:75:D3:C7:5E:03:1E:73:57:F2:C4:C5:89:FD:70
openssl x509 -text -in evilserver.pem | egrep -a1 "X509v3 .* Key Identifier"
TLS Web Server Authentication
X509v3 Subject Key Identifier:
1F:95:2F:26:9D:E1:37:BD:1F:9C:B5:51:FC:28:9C:EA:9F:1E:C8:B6
--
--
1F:95:2F:26:9D:E1:37:BD:1F:9C:B5:51:FC:28:9C:EA:9F:1E:C8:B6
X509v3 Authority Key Identifier:
keyid:17:49:AA:01:F6:25:85:23:3F:A6:7A:43:D3:97:2A:F8:74:27:89:A0
On Thu, Oct 4, 2018 at 12:26 PM Viktor Dukhovni
<openssl-users@xxxxxxxxxxxx> wrote:
>
> On Wed, Oct 03, 2018 at 07:16:51PM +0200, Peter Magnusson wrote:
>
> > The following test case attempts to validates evilserver.pem, issued
> > by evilca.pem.
>
> More specifically, we see that in this test the leaf server certificate
> has the same subject and issuer, so EXFLAG_SI is set for that
> certificate, and it did not count in the path length:
>
> $ /usr/local/bin/openssl verify -show_chain -verbose -trusted root.pem -untrusted untrusted.pem evilserver.pem
> evilserver.pem: OK
> Chain:
> depth=0: C = SE, ST = EvilServer, L = EvilServer, O = EvilServer, OU = EvilServer, CN = EvilServer (untrusted)
> depth=1: C = SE, ST = EvilServer, L = EvilServer, O = EvilServer, OU = EvilServer, CN = EvilServer (untrusted)
> depth=2: C = SE, ST = Intermediate, O = Intermediate, OU = Intermediate, CN = Intermediate (untrusted)
> depth=3: C = SE, ST = Root, L = Root, O = Root, OU = Root, CN = Root
>
> but this corner-case is not correct, the concept of "self-issued"
> only applies to CAs, so for the leaf to be skipped it would have
> the be a self-issued CA. Try the patch below:
>
> --
> Viktor.
>
> diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
> index 3a60d412da..77ca325d54 100644
> --- a/crypto/x509/x509_vfy.c
> +++ b/crypto/x509/x509_vfy.c
> @@ -445,6 +445,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
> int i, must_be_ca, plen = 0;
> X509 *x;
> int proxy_path_length = 0;
> + int is_ca;
> int purpose;
> int allow_proxy_certs;
> int num = sk_X509_num(ctx->chain);
> @@ -484,7 +485,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
> X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED))
> return 0;
> }
> - ret = X509_check_ca(x);
> + ret = is_ca = X509_check_ca(x);
> switch (must_be_ca) {
> case -1:
> if ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
> @@ -524,8 +525,8 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
> if (!verify_cb_cert(ctx, x, i, X509_V_ERR_PATH_LENGTH_EXCEEDED))
> return 0;
> }
> - /* Increment path length if not self issued */
> - if (!(x->ex_flags & EXFLAG_SI))
> + /* Increment path length if not a self issued CA */
> + if (!(is_ca && x->ex_flags & EXFLAG_SI))
> plen++;
> /*
> * If this certificate is a proxy certificate, the next certificate
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
