diff options
| author | tb <> | 2023-04-16 08:06:42 +0000 |
|---|---|---|
| committer | tb <> | 2023-04-16 08:06:42 +0000 |
| commit | af5673b318b3bb1548e40342abba68903d680131 (patch) | |
| tree | da5366d0ec0a73467af45e2bb10f95ba049a341a /src | |
| parent | 699a40dcab913cc71bfe12a9d96aabcdd691c77a (diff) | |
| download | openbsd-af5673b318b3bb1548e40342abba68903d680131.tar.gz openbsd-af5673b318b3bb1548e40342abba68903d680131.tar.bz2 openbsd-af5673b318b3bb1548e40342abba68903d680131.zip | |
More ProxyCertInfo tentacles go to the attic
This removes ProxyCertInfo from extension caching, issuer checking
and it also drops the special path validation for proxy certs from
the legacy verifier.
ok jsing
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libcrypto/x509/x509_purp.c | 33 | ||||
| -rw-r--r-- | src/lib/libcrypto/x509/x509_vfy.c | 38 |
2 files changed, 6 insertions, 65 deletions
diff --git a/src/lib/libcrypto/x509/x509_purp.c b/src/lib/libcrypto/x509/x509_purp.c index 176d9d679f..621f6f0f90 100644 --- a/src/lib/libcrypto/x509/x509_purp.c +++ b/src/lib/libcrypto/x509/x509_purp.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_purp.c,v 1.21 2023/02/16 10:18:59 tb Exp $ */ | 1 | /* $OpenBSD: x509_purp.c,v 1.22 2023/04/16 08:06:42 tb Exp $ */ |
| 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL | 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL |
| 3 | * project 2001. | 3 | * project 2001. |
| 4 | */ | 4 | */ |
| @@ -380,7 +380,6 @@ X509_supported_extension(X509_EXTENSION *ex) | |||
| 380 | NID_sbgp_autonomousSysNum, /* 291 */ | 380 | NID_sbgp_autonomousSysNum, /* 291 */ |
| 381 | #endif | 381 | #endif |
| 382 | NID_policy_constraints, /* 401 */ | 382 | NID_policy_constraints, /* 401 */ |
| 383 | NID_proxyCertInfo, /* 663 */ | ||
| 384 | NID_name_constraints, /* 666 */ | 383 | NID_name_constraints, /* 666 */ |
| 385 | NID_policy_mappings, /* 747 */ | 384 | NID_policy_mappings, /* 747 */ |
| 386 | NID_inhibit_any_policy /* 748 */ | 385 | NID_inhibit_any_policy /* 748 */ |
| @@ -446,7 +445,6 @@ static void | |||
| 446 | x509v3_cache_extensions_internal(X509 *x) | 445 | x509v3_cache_extensions_internal(X509 *x) |
| 447 | { | 446 | { |
| 448 | BASIC_CONSTRAINTS *bs; | 447 | BASIC_CONSTRAINTS *bs; |
| 449 | PROXY_CERT_INFO_EXTENSION *pci; | ||
| 450 | ASN1_BIT_STRING *usage; | 448 | ASN1_BIT_STRING *usage; |
| 451 | ASN1_BIT_STRING *ns; | 449 | ASN1_BIT_STRING *ns; |
| 452 | EXTENDED_KEY_USAGE *extusage; | 450 | EXTENDED_KEY_USAGE *extusage; |
| @@ -481,30 +479,6 @@ x509v3_cache_extensions_internal(X509 *x) | |||
| 481 | x->ex_flags |= EXFLAG_INVALID; | 479 | x->ex_flags |= EXFLAG_INVALID; |
| 482 | } | 480 | } |
| 483 | 481 | ||
| 484 | /* Handle proxy certificates */ | ||
| 485 | if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, &i, NULL))) { | ||
| 486 | if (x->ex_flags & EXFLAG_CA || | ||
| 487 | X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0 || | ||
| 488 | X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) { | ||
| 489 | x->ex_flags |= EXFLAG_INVALID; | ||
| 490 | } | ||
| 491 | if (pci->pcPathLengthConstraint) { | ||
| 492 | if (pci->pcPathLengthConstraint->type == | ||
| 493 | V_ASN1_NEG_INTEGER) { | ||
| 494 | x->ex_flags |= EXFLAG_INVALID; | ||
| 495 | x->ex_pcpathlen = 0; | ||
| 496 | } else | ||
| 497 | x->ex_pcpathlen = | ||
| 498 | ASN1_INTEGER_get(pci-> | ||
| 499 | pcPathLengthConstraint); | ||
| 500 | } else | ||
| 501 | x->ex_pcpathlen = -1; | ||
| 502 | PROXY_CERT_INFO_EXTENSION_free(pci); | ||
| 503 | x->ex_flags |= EXFLAG_PROXY; | ||
| 504 | } else if (i != -1) { | ||
| 505 | x->ex_flags |= EXFLAG_INVALID; | ||
| 506 | } | ||
| 507 | |||
| 508 | /* Handle key usage */ | 482 | /* Handle key usage */ |
| 509 | if ((usage = X509_get_ext_d2i(x, NID_key_usage, &i, NULL))) { | 483 | if ((usage = X509_get_ext_d2i(x, NID_key_usage, &i, NULL))) { |
| 510 | if (usage->length > 0) { | 484 | if (usage->length > 0) { |
| @@ -908,10 +882,7 @@ X509_check_issued(X509 *issuer, X509 *subject) | |||
| 908 | return ret; | 882 | return ret; |
| 909 | } | 883 | } |
| 910 | 884 | ||
| 911 | if (subject->ex_flags & EXFLAG_PROXY) { | 885 | if (ku_reject(issuer, KU_KEY_CERT_SIGN)) |
| 912 | if (ku_reject(issuer, KU_DIGITAL_SIGNATURE)) | ||
| 913 | return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE; | ||
| 914 | } else if (ku_reject(issuer, KU_KEY_CERT_SIGN)) | ||
| 915 | return X509_V_ERR_KEYUSAGE_NO_CERTSIGN; | 886 | return X509_V_ERR_KEYUSAGE_NO_CERTSIGN; |
| 916 | return X509_V_OK; | 887 | return X509_V_OK; |
| 917 | } | 888 | } |
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c index 8bba796198..8fd193699e 100644 --- a/src/lib/libcrypto/x509/x509_vfy.c +++ b/src/lib/libcrypto/x509/x509_vfy.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_vfy.c,v 1.111 2023/02/16 08:38:17 tb Exp $ */ | 1 | /* $OpenBSD: x509_vfy.c,v 1.112 2023/04/16 08:06:42 tb Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -732,7 +732,6 @@ x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx) | |||
| 732 | int (*cb)(int xok, X509_STORE_CTX *xctx); | 732 | int (*cb)(int xok, X509_STORE_CTX *xctx); |
| 733 | int proxy_path_length = 0; | 733 | int proxy_path_length = 0; |
| 734 | int purpose; | 734 | int purpose; |
| 735 | int allow_proxy_certs; | ||
| 736 | 735 | ||
| 737 | cb = ctx->verify_cb; | 736 | cb = ctx->verify_cb; |
| 738 | 737 | ||
| @@ -747,14 +746,10 @@ x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx) | |||
| 747 | must_be_ca = -1; | 746 | must_be_ca = -1; |
| 748 | 747 | ||
| 749 | /* CRL path validation */ | 748 | /* CRL path validation */ |
| 750 | if (ctx->parent) { | 749 | if (ctx->parent) |
| 751 | allow_proxy_certs = 0; | ||
| 752 | purpose = X509_PURPOSE_CRL_SIGN; | 750 | purpose = X509_PURPOSE_CRL_SIGN; |
| 753 | } else { | 751 | else |
| 754 | allow_proxy_certs = | ||
| 755 | !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS); | ||
| 756 | purpose = ctx->param->purpose; | 752 | purpose = ctx->param->purpose; |
| 757 | } | ||
| 758 | 753 | ||
| 759 | /* Check all untrusted certificates */ | 754 | /* Check all untrusted certificates */ |
| 760 | for (i = 0; i < ctx->num_untrusted; i++) { | 755 | for (i = 0; i < ctx->num_untrusted; i++) { |
| @@ -769,14 +764,6 @@ x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx) | |||
| 769 | if (!ok) | 764 | if (!ok) |
| 770 | goto end; | 765 | goto end; |
| 771 | } | 766 | } |
| 772 | if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) { | ||
| 773 | ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED; | ||
| 774 | ctx->error_depth = i; | ||
| 775 | ctx->current_cert = x; | ||
| 776 | ok = cb(0, ctx); | ||
| 777 | if (!ok) | ||
| 778 | goto end; | ||
| 779 | } | ||
| 780 | ret = X509_check_ca(x); | 767 | ret = X509_check_ca(x); |
| 781 | switch (must_be_ca) { | 768 | switch (must_be_ca) { |
| 782 | case -1: | 769 | case -1: |
| @@ -838,24 +825,7 @@ x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx) | |||
| 838 | /* Increment path length if not self issued */ | 825 | /* Increment path length if not self issued */ |
| 839 | if (!(x->ex_flags & EXFLAG_SI)) | 826 | if (!(x->ex_flags & EXFLAG_SI)) |
| 840 | plen++; | 827 | plen++; |
| 841 | /* If this certificate is a proxy certificate, the next | 828 | must_be_ca = 1; |
| 842 | certificate must be another proxy certificate or a EE | ||
| 843 | certificate. If not, the next certificate must be a | ||
| 844 | CA certificate. */ | ||
| 845 | if (x->ex_flags & EXFLAG_PROXY) { | ||
| 846 | if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) { | ||
| 847 | ctx->error = | ||
| 848 | X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED; | ||
| 849 | ctx->error_depth = i; | ||
| 850 | ctx->current_cert = x; | ||
| 851 | ok = cb(0, ctx); | ||
| 852 | if (!ok) | ||
| 853 | goto end; | ||
| 854 | } | ||
| 855 | proxy_path_length++; | ||
| 856 | must_be_ca = 0; | ||
| 857 | } else | ||
| 858 | must_be_ca = 1; | ||
| 859 | } | 829 | } |
| 860 | ok = 1; | 830 | ok = 1; |
| 861 | 831 | ||