That is not correct behaviour as far as I can understand. RFC5280 Certification Path Validation algorithm process from root to leaf, i.e. (Root, EvilCA, EvilServer). 6.1.2 Initialization and 6.1.4 Preparation for Certificate i+1 is expected to occur upon Root certificate, i.e. the following should be expected behaviour: * max_path_length=n (initialisation) * max_path_length=n-1 (first decrement) * max_path_length=0 (copied from root certificate constraint) * VERIFY(max_path_length>0) error upon preparing transition from i=1 (Root) to i=2 (EvilCA). OpenSSL does everything in a slightly different reverse algorithm, but should perform the same controls and behaivor as the RFC imho. And aside from the RFC algorithm checking for this condition, it is also analog with the description of the expected behaviour: The pathLenConstraint field is meaningful only if the cA boolean is asserted and the key usage extension, if present, asserts the keyCertSign bit (Section 4.2.1.3). In this case, it gives the maximum number of non-self-issued intermediate certificates that may follow this certificate in a valid certification path. (Note: The last certificate in the certification path is not an intermediate certificate, and is not included in this limit. Usually, the last certificate is an end entity certificate, but it can be a CA certificate.) A pathLenConstraint of zero indicates that no non- self-issued intermediate CA certificates may follow in a valid certification path. Where it appears, the pathLenConstraint field MUST be greater than or equal to zero. Where pathLenConstraint does not appear, no limit is imposed. So my understanding is that the OpenSSL algorithm is confused and fails to perform a check that is applicable to self-issued certificates. The decrement of max_path_length (aka plen++ in OpenSSL implementation) should not occur for self issued certificates, but the validation of max_path_length>0 (aka plen>(constraint+1)) should occur. On Mon, Oct 8, 2018 at 1:27 PM J Decker <d3ck0r@xxxxxxxxx> wrote: > > It was my interpretation that 0 pathlen on the root self signed meant infinite. > The pathlen only applies on the certs between root and the leaf (which obviously can be 0, and CA true or not, but bad form to say true I'd imagine.) > > On Mon, Oct 8, 2018 at 1:57 AM Peter Magnusson <blaufish.public.email@xxxxxxxxx> wrote: >> >> One more logic confusion in the OpenSSL Path Length Constraint check. >> Any Path Length Constraint set by Root (or any other Self-Issued >> Certificate) is ignored. >> Root cause appears to be !(x->ex_flags & EXFLAG_SI)=0 incorrectly >> applied to the checker (i.e. the checker and the calculation logic >> have been mixed up). >> >> https://github.com/blaufish/openssl-pathlen/tree/master/testcase_2 >> >> openssl x509 -text -in root.pem | grep -a1 "X509v3 Basic" >> Certificate Sign, CRL Sign >> X509v3 Basic Constraints: critical >> CA:TRUE, pathlen:0 >> openssl x509 -text -in evilca.pem | grep -a1 "X509v3 Basic" >> Certificate Sign, CRL Sign >> X509v3 Basic Constraints: critical >> CA:TRUE, pathlen:0 >> openssl x509 -text -in evilserver.pem | grep -a1 "X509v3 Basic" >> X509v3 extensions: >> X509v3 Basic Constraints: critical >> CA:FALSE >> ---- >> openssl x509 -text -in root.pem | egrep -a1 "X509v3 .* Key Identifier" >> X509v3 extensions: >> X509v3 Subject Key Identifier: >> 49:39:72:82:78:39:E8:60:AD:17:79:83:DB:65:B8:5C:E6:A7:84:B5 >> -- >> -- >> 49:39:72:82:78:39:E8:60:AD:17:79:83:DB:65:B8:5C:E6:A7:84:B5 >> X509v3 Authority Key Identifier: >> >> keyid:49:39:72:82:78:39:E8:60:AD:17:79:83:DB:65:B8:5C:E6:A7:84:B5 >> openssl x509 -text -in evilca.pem | grep -a1 "X509v3 .* Key Identifier" >> X509v3 extensions: >> X509v3 Subject Key Identifier: >> B6:B4:75:66:18:B5:D2:4F:57:10:53:93:4F:CD:51:71:A4:27:84:7C >> -- >> -- >> B6:B4:75:66:18:B5:D2:4F:57:10:53:93:4F:CD:51:71:A4:27:84:7C >> X509v3 Authority Key Identifier: >> >> keyid:49:39:72:82:78:39:E8:60:AD:17:79:83:DB:65:B8:5C:E6:A7:84:B5 >> openssl x509 -text -in evilserver.pem | egrep -a1 "X509v3 .* Key Identifier" >> TLS Web Server Authentication >> X509v3 Subject Key Identifier: >> 03:C6:48:91:09:73:F5:DF:EF:B5:9D:A4:66:00:16:C3:E9:DB:99:EE >> -- >> -- >> 03:C6:48:91:09:73:F5:DF:EF:B5:9D:A4:66:00:16:C3:E9:DB:99:EE >> X509v3 Authority Key Identifier: >> >> keyid:B6:B4:75:66:18:B5:D2:4F:57:10:53:93:4F:CD:51:71:A4:27:84:7C >> ---- >> ../openssl-1.1.1/apps/openssl verify -show_chain -verbose -CAfile >> root.pem -untrusted evilca.pem evilserver.pem >> ******* important variables ******* >> *** check_chain_extensions:524 i=0 >> *** check_chain_extensions:525 plen=0 >> *** check_chain_extensions:526 x->ex_pathlen=-1 >> ******* if statement components ******* >> *** check_chain_extensions:528 i > 1=0 >> *** check_chain_extensions:529 !(x->ex_flags & EXFLAG_SI)=1 >> *** check_chain_extensions:530 (x->ex_pathlen != -1)=0 >> *** check_chain_extensions:531 (plen > (x->ex_pathlen + >> proxy_path_length + 1))=0 >> ******* important variables ******* >> *** check_chain_extensions:524 i=1 >> *** check_chain_extensions:525 plen=1 >> *** check_chain_extensions:526 x->ex_pathlen=0 >> ******* if statement components ******* >> *** check_chain_extensions:528 i > 1=0 >> *** check_chain_extensions:529 !(x->ex_flags & EXFLAG_SI)=1 >> *** check_chain_extensions:530 (x->ex_pathlen != -1)=1 >> *** check_chain_extensions:531 (plen > (x->ex_pathlen + >> proxy_path_length + 1))=0 >> ******* important variables ******* >> *** check_chain_extensions:524 i=2 >> *** check_chain_extensions:525 plen=2 >> *** check_chain_extensions:526 x->ex_pathlen=0 >> ******* if statement components ******* >> *** check_chain_extensions:528 i > 1=1 >> *** check_chain_extensions:529 !(x->ex_flags & EXFLAG_SI)=0 >> *** check_chain_extensions:530 (x->ex_pathlen != -1)=1 >> *** check_chain_extensions:531 (plen > (x->ex_pathlen + >> proxy_path_length + 1))=1 >> evilserver.pem: OK >> Chain: >> depth=0: C = SE, ST = EvilServer, L = EvilServer, O = EvilServer, OU = >> EvilServer, CN = EvilServer (untrusted) >> depth=1: C = SE, ST = EvilCA, L = EvilCA, O = EvilCA, OU = EvilCA, CN >> = EvilCA (untrusted) >> depth=2: C = SE, ST = Root, L = Root, O = Root, OU = Root, CN = Root >> -- >> openssl-users mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
