Allow certificates with Basic Constraints CA:false, pathlen:0
authorTomas Mraz <tmraz@fedoraproject.org>
Thu, 2 Apr 2020 13:56:12 +0000 (15:56 +0200)
committerTomas Mraz <tmraz@fedoraproject.org>
Mon, 6 Apr 2020 08:25:58 +0000 (10:25 +0200)
commit428cf5ff83a48d0b51c97476586b2cbd053b6302
tree07405635463ee22db727804629f7c7c13e7d9e5b
parenta056ee28ed0971be2e29b49c3357a4065c98e51d
Allow certificates with Basic Constraints CA:false, pathlen:0

Do not mark such certificates with EXFLAG_INVALID although they
violate the RFC 5280, they are syntactically correct and
openssl itself can produce such certificates without any errors
with command such as:

openssl x509 -req -signkey private.pem -in csr.pem -out cert.pem \
  -extfile <(echo "basicConstraints=CA:FALSE,pathlen:0")

With the commit ba4356ae4002a04e28642da60c551877eea804f7 the
EXFLAG_INVALID causes openssl to not consider such certificate
even as leaf self-signed certificate which is breaking existing
installations.

Fixes: #11456

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11463)
crypto/x509/v3_purp.c