On Sat, Nov 09, 2024 at 04:51:37AM -0800, Aleksei “filimonic” Filimonov wrote:
> FreeRADIUS uses this code (below)
That code is profoundly wrong. The return value of the function
X509_STORE_CTX_get0_untrusted(3) is NOT a set of chain certificates that
failed to be verified. Rather it is the set of potentially useful
intermediate CA certificates that the verification code can draw on to
build the chain. It has little to do with the success or failure of
chain verification.
If (as is common, but not always the case) the untrusted stack consists
of the ordered chain certificates provided by the peer, and does not
include any of the configured trust anchors, nor any redundant entries,
then the length of that chain will be the number of intermediate (a.k.a.
subsidiary or "cross") CA certificates in the complete chain.
> and it shows in logs there is 1 cert is untrusted according to
> X509_STORE_CTX_get_num_untrusted, and outputs everything (2 certs)
> from X509_STORE_CTX_get0_untrusted stack.
That logic is nonsense. The value of "num_untrusted" will only be zero
if the end-entity certificate presented by the client itself appears
verbatim in the trust store, otherwise it will always be at least 1.
> For start, It's hard to say if this "one untrusted cert" is the root or the
> peer because X509_STORE_CTX_get0_untrusted returns the stack.
The stack is red herring, it will contain precisely the intermediate CA
certificates that the application provided when creating the
X509_STORE_CTX via X509_STORE_CTX_init(3) or soon after updated via
X509_STORE_CTX_set0_untrusted(3).
> Is there a way to get information which cert of stack is untrusted?
The first "num_untrusted" (starting at index 0) in the *constructed*
chain returned by X509_STORE_CTX_get0_chain(3) were untrusted (did not
come from the trust store). That number is typically at least 1, more
often 2 or a small handful if more intermediate CAs are employed.
> #if OPENSSL_VERSION_NUMBER >= 0x10100000L
> /*
> * See if there are any untrusted certificates.
> * If so, complain about them.
> */
> untrusted = X509_STORE_CTX_get0_untrusted(ctx);
> if (untrusted) {
> if (conf->disallow_untrusted || RDEBUG_ENABLED2) {
> int i;
>
> WARN("Certificate chain - %i cert(s) untrusted",
> X509_STORE_CTX_get_num_untrusted(ctx));
> for (i = sk_X509_num(untrusted); i > 0 ; i--) {
> X509 *this_cert = sk_X509_value(untrusted, i - 1);
>
> X509_NAME_oneline(X509_get_subject_name(this_cert),
> subject, sizeof(subject));
> subject[sizeof(subject) - 1] = '\0';
>
> WARN("(TLS) untrusted certificate with depth [%i]
> subject name %s",
> i - 1, subject);
> }
> }
>
> if (conf->disallow_untrusted) {
> AUTH(LOG_PREFIX ": There are untrusted certificates in the
> certificate chain. Rejecting.");
> my_ok = 0;
> }
> }
> #endif
This code is garbage, unless the intent to only allow *direct* trust of
the presented EE certificate, which typically also require the use of
the X509_V_FLAG_PARTIAL_CHAIN flag.
--
VIktor.
--
You received this message because you are subscribed to the Google Groups "openssl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openssl-users+unsubscribe@xxxxxxxxxxx.
To view this discussion visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/Zy_SC30jWtmum9Z9%40chardros.imrryr.org.
