Re: [EXTERNAL] Stricter pathlen checks in OpenSSL 1.1.1 compared to 1.0.2?.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Assuming that all self-signed certificates are trusted (here, A and B), then providing a CAfile with D+C+B+A to validate E, the different possible paths are:
 - E <- D <- B: this path is valid
 - E <- D <- C <- A: this path is valid

In the validation algorithm described in RFC5280 and X.509, the pathlenConstraints contained in the certificate of the Trust Anchor (here, A or B) is not taken into account. Therefore, the only ones that matter are the values set in C and D, and these values are coherent with both chains.


On Thu, Sep 15, 2022 at 7:34 PM Andrew Lynch via openssl-users <openssl-users@xxxxxxxxxxx> wrote:

Hi,

 

I would like to have my understanding of the following issue confirmed:

 

Given a two-level CA where the different generations of Root cross-sign each other, the verification of an end-entity certificate fails with OpenSSL 1.1.1 – “path length constraint exceeded”.  With OpenSSL 1.0.2 the same verify succeeds.

 

All Root CA certificates have Basic Constraints CA:TRUE, pathlen:1.  The Sub CA certificate has pathlen:0.

 

A) Issuer: CN=Root CA, serialNumber=1

   Subject: CN=Root CA, serialNumber=1

 

B) Issuer: CN=Root CA, serialNumber=2

   Subject: CN=Root CA, serialNumber=2

 

C) Issuer: CN=Root CA, serialNumber=1

   Subject: CN=Root CA, serialNumber=2

 

D) Issuer: CN=Root CA, serialNumber=2

   Subject: CN=Sub CA, serialNumber=2

 

E) Issuer: CN=Sub CA, serialNumber=2

   Subject: Some end entity

 

With a CAfile containing D, C, B, A in that order the verify of E fails.  If I remove the cross certificate C then the verify succeeds.

 

I believe OpenSSL 1.1.1 is building a chain of depth 3 (D – C – A) and so pathlen:1 of A is violated.  Without the cross certificate the chain is only depth 2 (D – B).

 

Is my understanding of the reason for this failure correct?

Why is OpenSSL 1.0.2 verifying successfully?  Does it not check the path length constraint or is it actually picking the depth 2 chain instead of the depth 3?

 

Regards,

Andrew.

 



--
Cordialement,
Erwann Abalea.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux