So is this a possible bug or a feature of OpenSSL 1.1.1? (using 1.1.1n right now)
If I set up the content of CAfile or CApath so that E <- D <- C <- A is the only path that can be taken then the validation fails with
error 25 at 3 depth lookup: path length constraint exceeded
If I create the first root certificate (A) with pathlen:2 instead of pathlen:1 then validation succeeds
depth=0: C = DE, O = Test Org, CN = Test User (untrusted) E
depth=1: C = DE, O = Test Org, CN = Test Sub-CA D
depth=2: C = DE, O = Test Org, CN = Test Root 2-CA C
depth=3: C = DE, O = Test Org, CN = Test Root 1-CA A
So it appears to me that OpenSSL 1.1.1n is definitely taking the pathlen constraint of certificate A into account.
Von: Erwann Abalea <erwann.abalea@xxxxxxxxxxxx>
Assuming that all self-signed certificates are trusted (here, A and B), then providing a CAfile with D+C+B+A to validate E, the different possible paths are:
- E <- D <- B: this path is valid
- E <- D <- C <- A: this path is valid
In the validation algorithm described in RFC5280 and X.509, the pathlenConstraints contained in the certificate of the Trust Anchor (here, A or B) is not taken into account. Therefore, the only ones that matter are the values set in C and D, and these values are coherent with both chains.
On Thu, Sep 15, 2022 at 7:34 PM Andrew Lynch via openssl-users <openssl-users@xxxxxxxxxxx> wrote: