From 428cf5ff83a48d0b51c97476586b2cbd053b6302 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 2 Apr 2020 15:56:12 +0200 Subject: [PATCH] Allow certificates with Basic Constraints CA:false, pathlen:0 Do not mark such certificates with EXFLAG_INVALID although they violate the RFC 5280, they are syntactically correct and openssl itself can produce such certificates without any errors with command such as: openssl x509 -req -signkey private.pem -in csr.pem -out cert.pem \ -extfile <(echo "basicConstraints=CA:FALSE,pathlen:0") With the commit ba4356ae4002a04e28642da60c551877eea804f7 the EXFLAG_INVALID causes openssl to not consider such certificate even as leaf self-signed certificate which is breaking existing installations. Fixes: #11456 Reviewed-by: Bernd Edlinger Reviewed-by: Viktor Dukhovni (Merged from https://github.com/openssl/openssl/pull/11463) --- crypto/x509/v3_purp.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/crypto/x509/v3_purp.c b/crypto/x509/v3_purp.c index 0d02090330..bb60276d94 100644 --- a/crypto/x509/v3_purp.c +++ b/crypto/x509/v3_purp.c @@ -385,12 +385,16 @@ int X509v3_cache_extensions(X509 *x, OPENSSL_CTX *libctx, const char *propq) if (bs->ca) x->ex_flags |= EXFLAG_CA; if (bs->pathlen) { - if ((bs->pathlen->type == V_ASN1_NEG_INTEGER) - || !bs->ca) { + if (bs->pathlen->type == V_ASN1_NEG_INTEGER) { x->ex_flags |= EXFLAG_INVALID; x->ex_pathlen = 0; - } else + } else { x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen); + if (!bs->ca && x->ex_pathlen != 0) { + x->ex_flags |= EXFLAG_INVALID; + x->ex_pathlen = 0; + } + } } else x->ex_pathlen = -1; BASIC_CONSTRAINTS_free(bs); -- 2.25.1