2 files changed, 6 insertions, 65 deletions
diff --git a/src/lib/libcrypto/x509/x509_purp.c b/src/lib/libcrypto/x509/x509_purp.c
index 176d9d679f..621f6f0f90 100644
--- a/src/lib/libcrypto/x509/x509_purp.c
+++ b/src/lib/libcrypto/x509/x509_purp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_purp.c,v 1.21 2023/02/16 10:18:59 tb Exp $ */
+/* $OpenBSD: x509_purp.c,v 1.22 2023/04/16 08:06:42 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2001.
 */
@@ -380,7 +380,6 @@ X509_supported_extension(X509_EXTENSION *ex)
                NID_sbgp_autonomousSysNum, /* 291 */
 #endif
                NID_policy_constraints, /* 401 */
-                NID_proxyCertInfo,      /* 663 */
                NID_name_constraints,   /* 666 */
                NID_policy_mappings,    /* 747 */
                NID_inhibit_any_policy  /* 748 */
@@ -446,7 +445,6 @@ static void
 x509v3_cache_extensions_internal(X509 *x)
 {
        BASIC_CONSTRAINTS *bs;
-        PROXY_CERT_INFO_EXTENSION *pci;
        ASN1_BIT_STRING *usage;
        ASN1_BIT_STRING *ns;
        EXTENDED_KEY_USAGE *extusage;
@@ -481,30 +479,6 @@ x509v3_cache_extensions_internal(X509 *x)
                x->ex_flags |= EXFLAG_INVALID;
        }
-        /* Handle proxy certificates */
-        if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, &i, NULL))) {
-                if (x->ex_flags & EXFLAG_CA ||
-                    X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0 ||
-                    X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) {
-                        x->ex_flags |= EXFLAG_INVALID;
-                }
-                if (pci->pcPathLengthConstraint) {
-                        if (pci->pcPathLengthConstraint->type ==
-                            V_ASN1_NEG_INTEGER) {
-                                x->ex_flags |= EXFLAG_INVALID;
-                                x->ex_pcpathlen = 0;
-                        } else
-                                x->ex_pcpathlen =
-                                    ASN1_INTEGER_get(pci->
-                                      pcPathLengthConstraint);
-                } else
-                        x->ex_pcpathlen = -1;
-                PROXY_CERT_INFO_EXTENSION_free(pci);
-                x->ex_flags |= EXFLAG_PROXY;
-        } else if (i != -1) {
-                x->ex_flags |= EXFLAG_INVALID;
-        }
        /* Handle key usage */
        if ((usage = X509_get_ext_d2i(x, NID_key_usage, &i, NULL))) {
                if (usage->length > 0) {
@@ -908,10 +882,7 @@ X509_check_issued(X509 *issuer, X509 *subject)
                        return ret;
        }
-        if (subject->ex_flags & EXFLAG_PROXY) {
+        if (ku_reject(issuer, KU_KEY_CERT_SIGN))
-                if (ku_reject(issuer, KU_DIGITAL_SIGNATURE))
-                        return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE;
-        } else if (ku_reject(issuer, KU_KEY_CERT_SIGN))
                return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
        return X509_V_OK;
 }
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 8bba796198..8fd193699e 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.111 2023/02/16 08:38:17 tb Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.112 2023/04/16 08:06:42 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -732,7 +732,6 @@ x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx)
        int (*cb)(int xok, X509_STORE_CTX *xctx);
        int proxy_path_length = 0;
        int purpose;
-        int allow_proxy_certs;
        cb = ctx->verify_cb;
@@ -747,14 +746,10 @@ x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx)
        must_be_ca = -1;
        /* CRL path validation */
-        if (ctx->parent) {
+        if (ctx->parent)
-                allow_proxy_certs = 0;
                purpose = X509_PURPOSE_CRL_SIGN;
-        } else {
+        else
-                allow_proxy_certs =
-                    !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
                purpose = ctx->param->purpose;
-        }
        /* Check all untrusted certificates */
        for (i = 0; i < ctx->num_untrusted; i++) {
@@ -769,14 +764,6 @@ x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx)
                        if (!ok)
                                goto end;
                }
-                if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) {
-                        ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED;
-                        ctx->error_depth = i;
-                        ctx->current_cert = x;
-                        ok = cb(0, ctx);
-                        if (!ok)
-                                goto end;
-                }
                ret = X509_check_ca(x);
                switch (must_be_ca) {
                case -1:
@@ -838,24 +825,7 @@ x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx)
                /* Increment path length if not self issued */
                if (!(x->ex_flags & EXFLAG_SI))
                        plen++;
-                /* If this certificate is a proxy certificate, the next
+                must_be_ca = 1;
-                   certificate must be another proxy certificate or a EE
-                   certificate.  If not, the next certificate must be a
-                   CA certificate.  */
-                if (x->ex_flags & EXFLAG_PROXY) {
-                        if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) {
-                                ctx->error =
-                                    X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
-                                ctx->error_depth = i;
-                                ctx->current_cert = x;
-                                ok = cb(0, ctx);
-                                if (!ok)
-                                        goto end;
-                        }
-                        proxy_path_length++;
-                        must_be_ca = 0;
-                } else
-                        must_be_ca = 1;
        }
        ok = 1;