More ProxyCertInfo tentacles go to the attic

This removes ProxyCertInfo from extension caching, issuer checking
and it also drops the special path validation for proxy certs from
the legacy verifier.

ok jsing

1 files changed, 2 insertions, 31 deletions

diff --git a/src/lib/libcrypto/x509/x509_purp.c b/src/lib/libcrypto/x509/x509_purp.c
index 176d9d679f..621f6f0f90 100644
--- a/src/lib/libcrypto/x509/x509_purp.c
+++ b/src/lib/libcrypto/x509/x509_purp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_purp.c,v 1.21 2023/02/16 10:18:59 tb Exp $ */
+/* $OpenBSD: x509_purp.c,v 1.22 2023/04/16 08:06:42 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2001.
  */
@@ -380,7 +380,6 @@ X509_supported_extension(X509_EXTENSION *ex)
                 NID_sbgp_autonomousSysNum, /* 291 */
 #endif
                 NID_policy_constraints, /* 401 */
-                NID_proxyCertInfo,      /* 663 */
                 NID_name_constraints,   /* 666 */
                 NID_policy_mappings,    /* 747 */
                 NID_inhibit_any_policy  /* 748 */
@@ -446,7 +445,6 @@ static void
 x509v3_cache_extensions_internal(X509 *x)
 {
         BASIC_CONSTRAINTS *bs;
-        PROXY_CERT_INFO_EXTENSION *pci;
         ASN1_BIT_STRING *usage;
         ASN1_BIT_STRING *ns;
         EXTENDED_KEY_USAGE *extusage;
@@ -481,30 +479,6 @@ x509v3_cache_extensions_internal(X509 *x)
                 x->ex_flags |= EXFLAG_INVALID;
         }
 
-        /* Handle proxy certificates */
-        if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, &i, NULL))) {
-                if (x->ex_flags & EXFLAG_CA ||
-                    X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0 ||
-                    X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) {
-                        x->ex_flags |= EXFLAG_INVALID;
-                }
-                if (pci->pcPathLengthConstraint) {
-                        if (pci->pcPathLengthConstraint->type ==
-                            V_ASN1_NEG_INTEGER) {
-                                x->ex_flags |= EXFLAG_INVALID;
-                                x->ex_pcpathlen = 0;
-                        } else
-                                x->ex_pcpathlen =
-                                    ASN1_INTEGER_get(pci->
-                                      pcPathLengthConstraint);
-                } else
-                        x->ex_pcpathlen = -1;
-                PROXY_CERT_INFO_EXTENSION_free(pci);
-                x->ex_flags |= EXFLAG_PROXY;
-        } else if (i != -1) {
-                x->ex_flags |= EXFLAG_INVALID;
-        }
-
         /* Handle key usage */
         if ((usage = X509_get_ext_d2i(x, NID_key_usage, &i, NULL))) {
                 if (usage->length > 0) {
@@ -908,10 +882,7 @@ X509_check_issued(X509 *issuer, X509 *subject)
                         return ret;
         }
 
-        if (subject->ex_flags & EXFLAG_PROXY) {
-                if (ku_reject(issuer, KU_DIGITAL_SIGNATURE))
-                        return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE;
-        } else if (ku_reject(issuer, KU_KEY_CERT_SIGN))
+        if (ku_reject(issuer, KU_KEY_CERT_SIGN))
                 return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
         return X509_V_OK;
 }