From af5673b318b3bb1548e40342abba68903d680131 Mon Sep 17 00:00:00 2001
From: tb <>
Date: Sun, 16 Apr 2023 08:06:42 +0000
Subject: More ProxyCertInfo tentacles go to the attic

This removes ProxyCertInfo from extension caching, issuer checking
and it also drops the special path validation for proxy certs from
the legacy verifier.

ok jsing
---
 src/lib/libcrypto/x509/x509_purp.c | 33 ++-------------------------------
 src/lib/libcrypto/x509/x509_vfy.c  | 38 ++++----------------------------------
 2 files changed, 6 insertions(+), 65 deletions(-)

diff --git a/src/lib/libcrypto/x509/x509_purp.c b/src/lib/libcrypto/x509/x509_purp.c
index 176d9d679f..621f6f0f90 100644
--- a/src/lib/libcrypto/x509/x509_purp.c
+++ b/src/lib/libcrypto/x509/x509_purp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_purp.c,v 1.21 2023/02/16 10:18:59 tb Exp $ */
+/* $OpenBSD: x509_purp.c,v 1.22 2023/04/16 08:06:42 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2001.
  */
@@ -380,7 +380,6 @@ X509_supported_extension(X509_EXTENSION *ex)
 		NID_sbgp_autonomousSysNum, /* 291 */
 #endif
 		NID_policy_constraints,	/* 401 */
-		NID_proxyCertInfo,	/* 663 */
 		NID_name_constraints,	/* 666 */
 		NID_policy_mappings,	/* 747 */
 		NID_inhibit_any_policy	/* 748 */
@@ -446,7 +445,6 @@ static void
 x509v3_cache_extensions_internal(X509 *x)
 {
 	BASIC_CONSTRAINTS *bs;
-	PROXY_CERT_INFO_EXTENSION *pci;
 	ASN1_BIT_STRING *usage;
 	ASN1_BIT_STRING *ns;
 	EXTENDED_KEY_USAGE *extusage;
@@ -481,30 +479,6 @@ x509v3_cache_extensions_internal(X509 *x)
 		x->ex_flags |= EXFLAG_INVALID;
 	}
 
-	/* Handle proxy certificates */
-	if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, &i, NULL))) {
-		if (x->ex_flags & EXFLAG_CA ||
-		    X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0 ||
-		    X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) {
-			x->ex_flags |= EXFLAG_INVALID;
-		}
-		if (pci->pcPathLengthConstraint) {
-			if (pci->pcPathLengthConstraint->type ==
-			    V_ASN1_NEG_INTEGER) {
-				x->ex_flags |= EXFLAG_INVALID;
-				x->ex_pcpathlen = 0;
-			} else
-				x->ex_pcpathlen =
-				    ASN1_INTEGER_get(pci->
-				      pcPathLengthConstraint);
-		} else
-			x->ex_pcpathlen = -1;
-		PROXY_CERT_INFO_EXTENSION_free(pci);
-		x->ex_flags |= EXFLAG_PROXY;
-	} else if (i != -1) {
-		x->ex_flags |= EXFLAG_INVALID;
-	}
-
 	/* Handle key usage */
 	if ((usage = X509_get_ext_d2i(x, NID_key_usage, &i, NULL))) {
 		if (usage->length > 0) {
@@ -908,10 +882,7 @@ X509_check_issued(X509 *issuer, X509 *subject)
 			return ret;
 	}
 
-	if (subject->ex_flags & EXFLAG_PROXY) {
-		if (ku_reject(issuer, KU_DIGITAL_SIGNATURE))
-			return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE;
-	} else if (ku_reject(issuer, KU_KEY_CERT_SIGN))
+	if (ku_reject(issuer, KU_KEY_CERT_SIGN))
 		return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
 	return X509_V_OK;
 }
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 8bba796198..8fd193699e 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.111 2023/02/16 08:38:17 tb Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.112 2023/04/16 08:06:42 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -732,7 +732,6 @@ x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx)
 	int (*cb)(int xok, X509_STORE_CTX *xctx);
 	int proxy_path_length = 0;
 	int purpose;
-	int allow_proxy_certs;
 
 	cb = ctx->verify_cb;
 
@@ -747,14 +746,10 @@ x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx)
 	must_be_ca = -1;
 
 	/* CRL path validation */
-	if (ctx->parent) {
-		allow_proxy_certs = 0;
+	if (ctx->parent)
 		purpose = X509_PURPOSE_CRL_SIGN;
-	} else {
-		allow_proxy_certs =
-		    !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
+	else
 		purpose = ctx->param->purpose;
-	}
 
 	/* Check all untrusted certificates */
 	for (i = 0; i < ctx->num_untrusted; i++) {
@@ -769,14 +764,6 @@ x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx)
 			if (!ok)
 				goto end;
 		}
-		if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) {
-			ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED;
-			ctx->error_depth = i;
-			ctx->current_cert = x;
-			ok = cb(0, ctx);
-			if (!ok)
-				goto end;
-		}
 		ret = X509_check_ca(x);
 		switch (must_be_ca) {
 		case -1:
@@ -838,24 +825,7 @@ x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx)
 		/* Increment path length if not self issued */
 		if (!(x->ex_flags & EXFLAG_SI))
 			plen++;
-		/* If this certificate is a proxy certificate, the next
-		   certificate must be another proxy certificate or a EE
-		   certificate.  If not, the next certificate must be a
-		   CA certificate.  */
-		if (x->ex_flags & EXFLAG_PROXY) {
-			if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) {
-				ctx->error =
-				    X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
-				ctx->error_depth = i;
-				ctx->current_cert = x;
-				ok = cb(0, ctx);
-				if (!ok)
-					goto end;
-			}
-			proxy_path_length++;
-			must_be_ca = 0;
-		} else
-			must_be_ca = 1;
+		must_be_ca = 1;
 	}
 	ok = 1;
 
-- 
cgit v1.2.3-55-g6feb