From af5673b318b3bb1548e40342abba68903d680131 Mon Sep 17 00:00:00 2001 From: tb <> Date: Sun, 16 Apr 2023 08:06:42 +0000 Subject: More ProxyCertInfo tentacles go to the attic This removes ProxyCertInfo from extension caching, issuer checking and it also drops the special path validation for proxy certs from the legacy verifier. ok jsing --- src/lib/libcrypto/x509/x509_purp.c | 33 ++------------------------------- src/lib/libcrypto/x509/x509_vfy.c | 38 ++++---------------------------------- 2 files changed, 6 insertions(+), 65 deletions(-) (limited to 'src') diff --git a/src/lib/libcrypto/x509/x509_purp.c b/src/lib/libcrypto/x509/x509_purp.c index 176d9d679f..621f6f0f90 100644 --- a/src/lib/libcrypto/x509/x509_purp.c +++ b/src/lib/libcrypto/x509/x509_purp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_purp.c,v 1.21 2023/02/16 10:18:59 tb Exp $ */ +/* $OpenBSD: x509_purp.c,v 1.22 2023/04/16 08:06:42 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2001. */ @@ -380,7 +380,6 @@ X509_supported_extension(X509_EXTENSION *ex) NID_sbgp_autonomousSysNum, /* 291 */ #endif NID_policy_constraints, /* 401 */ - NID_proxyCertInfo, /* 663 */ NID_name_constraints, /* 666 */ NID_policy_mappings, /* 747 */ NID_inhibit_any_policy /* 748 */ @@ -446,7 +445,6 @@ static void x509v3_cache_extensions_internal(X509 *x) { BASIC_CONSTRAINTS *bs; - PROXY_CERT_INFO_EXTENSION *pci; ASN1_BIT_STRING *usage; ASN1_BIT_STRING *ns; EXTENDED_KEY_USAGE *extusage; @@ -481,30 +479,6 @@ x509v3_cache_extensions_internal(X509 *x) x->ex_flags |= EXFLAG_INVALID; } - /* Handle proxy certificates */ - if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, &i, NULL))) { - if (x->ex_flags & EXFLAG_CA || - X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0 || - X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) { - x->ex_flags |= EXFLAG_INVALID; - } - if (pci->pcPathLengthConstraint) { - if (pci->pcPathLengthConstraint->type == - V_ASN1_NEG_INTEGER) { - x->ex_flags |= EXFLAG_INVALID; - x->ex_pcpathlen = 0; - } else - x->ex_pcpathlen = - ASN1_INTEGER_get(pci-> - pcPathLengthConstraint); - } else - x->ex_pcpathlen = -1; - PROXY_CERT_INFO_EXTENSION_free(pci); - x->ex_flags |= EXFLAG_PROXY; - } else if (i != -1) { - x->ex_flags |= EXFLAG_INVALID; - } - /* Handle key usage */ if ((usage = X509_get_ext_d2i(x, NID_key_usage, &i, NULL))) { if (usage->length > 0) { @@ -908,10 +882,7 @@ X509_check_issued(X509 *issuer, X509 *subject) return ret; } - if (subject->ex_flags & EXFLAG_PROXY) { - if (ku_reject(issuer, KU_DIGITAL_SIGNATURE)) - return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE; - } else if (ku_reject(issuer, KU_KEY_CERT_SIGN)) + if (ku_reject(issuer, KU_KEY_CERT_SIGN)) return X509_V_ERR_KEYUSAGE_NO_CERTSIGN; return X509_V_OK; } diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c index 8bba796198..8fd193699e 100644 --- a/src/lib/libcrypto/x509/x509_vfy.c +++ b/src/lib/libcrypto/x509/x509_vfy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vfy.c,v 1.111 2023/02/16 08:38:17 tb Exp $ */ +/* $OpenBSD: x509_vfy.c,v 1.112 2023/04/16 08:06:42 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -732,7 +732,6 @@ x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx) int (*cb)(int xok, X509_STORE_CTX *xctx); int proxy_path_length = 0; int purpose; - int allow_proxy_certs; cb = ctx->verify_cb; @@ -747,14 +746,10 @@ x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx) must_be_ca = -1; /* CRL path validation */ - if (ctx->parent) { - allow_proxy_certs = 0; + if (ctx->parent) purpose = X509_PURPOSE_CRL_SIGN; - } else { - allow_proxy_certs = - !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS); + else purpose = ctx->param->purpose; - } /* Check all untrusted certificates */ for (i = 0; i < ctx->num_untrusted; i++) { @@ -769,14 +764,6 @@ x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx) if (!ok) goto end; } - if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) { - ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED; - ctx->error_depth = i; - ctx->current_cert = x; - ok = cb(0, ctx); - if (!ok) - goto end; - } ret = X509_check_ca(x); switch (must_be_ca) { case -1: @@ -838,24 +825,7 @@ x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx) /* Increment path length if not self issued */ if (!(x->ex_flags & EXFLAG_SI)) plen++; - /* If this certificate is a proxy certificate, the next - certificate must be another proxy certificate or a EE - certificate. If not, the next certificate must be a - CA certificate. */ - if (x->ex_flags & EXFLAG_PROXY) { - if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) { - ctx->error = - X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED; - ctx->error_depth = i; - ctx->current_cert = x; - ok = cb(0, ctx); - if (!ok) - goto end; - } - proxy_path_length++; - must_be_ca = 0; - } else - must_be_ca = 1; + must_be_ca = 1; } ok = 1; -- cgit v1.2.3-55-g6feb