summaryrefslogtreecommitdiff
path: root/lib/libcrypto/x509v3
diff options
context:
space:
mode:
authorJoel Sing <jsing@cvs.openbsd.org>2017-06-22 17:28:01 +0000
committerJoel Sing <jsing@cvs.openbsd.org>2017-06-22 17:28:01 +0000
commitbbd1226d7b12c8c86442982ea42d0c6a50ef757f (patch)
treee3d9f68723f9dc332b9fc8861938bcd197a6b4af /lib/libcrypto/x509v3
parente1b4c5ef6b777d131c4b754c3f2e2c2a5bcc4fcd (diff)
Distinguish between self-issued certificates and self-signed certificates.
The certificate verification code has special cases for self-signed certificates and without this change, self-issued certificates (which it seems are common place with openvpn/easyrsa) were also being included in this category. Based on BoringSSL. Thanks to Dale Ghent <daleg at elemental dot org> for assisting in identifying the issue and testing this fix. ok inoguchi@
Diffstat (limited to 'lib/libcrypto/x509v3')
-rw-r--r--lib/libcrypto/x509v3/v3_purp.c38
-rw-r--r--lib/libcrypto/x509v3/x509v3.h32
2 files changed, 40 insertions, 30 deletions
diff --git a/lib/libcrypto/x509v3/v3_purp.c b/lib/libcrypto/x509v3/v3_purp.c
index bdcdf95d129..d692a19c25d 100644
--- a/lib/libcrypto/x509v3/v3_purp.c
+++ b/lib/libcrypto/x509v3/v3_purp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: v3_purp.c,v 1.29 2017/01/29 17:49:23 beck Exp $ */
+/* $OpenBSD: v3_purp.c,v 1.30 2017/06/22 17:28:00 jsing Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2001.
*/
@@ -65,6 +65,14 @@
#include <openssl/x509v3.h>
#include <openssl/x509_vfy.h>
+#define V1_ROOT (EXFLAG_V1|EXFLAG_SS)
+#define ku_reject(x, usage) \
+ (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
+#define xku_reject(x, usage) \
+ (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage)))
+#define ns_reject(x, usage) \
+ (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
+
static void x509v3_cache_extensions(X509 *x);
static int check_ssl_ca(const X509 *x);
@@ -427,19 +435,19 @@ x509v3_cache_extensions(X509 *x)
ASN1_BIT_STRING *ns;
EXTENDED_KEY_USAGE *extusage;
X509_EXTENSION *ex;
-
int i;
+
if (x->ex_flags & EXFLAG_SET)
return;
+
#ifndef OPENSSL_NO_SHA
X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
#endif
- /* Does subject name match issuer ? */
- if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
- x->ex_flags |= EXFLAG_SI;
+
/* V1 should mean no extensions ... */
if (!X509_get_version(x))
x->ex_flags |= EXFLAG_V1;
+
/* Handle basic constraints */
if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) {
if (bs->ca)
@@ -456,6 +464,7 @@ x509v3_cache_extensions(X509 *x)
BASIC_CONSTRAINTS_free(bs);
x->ex_flags |= EXFLAG_BCONS;
}
+
/* Handle proxy certificates */
if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {
if (x->ex_flags & EXFLAG_CA ||
@@ -477,6 +486,7 @@ x509v3_cache_extensions(X509 *x)
PROXY_CERT_INFO_EXTENSION_free(pci);
x->ex_flags |= EXFLAG_PROXY;
}
+
/* Handle key usage */
if ((usage = X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) {
if (usage->length > 0) {
@@ -541,6 +551,16 @@ x509v3_cache_extensions(X509 *x)
x->skid = X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL);
x->akid = X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL);
+
+ /* Does subject name match issuer? */
+ if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) {
+ x->ex_flags |= EXFLAG_SI;
+ /* If SKID matches AKID also indicate self signed. */
+ if (X509_check_akid(x, x->akid) == X509_V_OK &&
+ !ku_reject(x, KU_KEY_CERT_SIGN))
+ x->ex_flags |= EXFLAG_SS;
+ }
+
x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL);
if (!x->nc && (i != -1))
@@ -571,14 +591,6 @@ x509v3_cache_extensions(X509 *x)
* 4 basicConstraints absent but keyUsage present and keyCertSign asserted.
*/
-#define V1_ROOT (EXFLAG_V1|EXFLAG_SS)
-#define ku_reject(x, usage) \
- (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
-#define xku_reject(x, usage) \
- (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage)))
-#define ns_reject(x, usage) \
- (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
-
static int
check_ca(const X509 *x)
{
diff --git a/lib/libcrypto/x509v3/x509v3.h b/lib/libcrypto/x509v3/x509v3.h
index 0a8f66f9179..fbafd694ed9 100644
--- a/lib/libcrypto/x509v3/x509v3.h
+++ b/lib/libcrypto/x509v3/x509v3.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509v3.h,v 1.21 2016/12/30 16:19:24 jsing Exp $ */
+/* $OpenBSD: x509v3.h,v 1.22 2017/06/22 17:28:00 jsing Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 1999.
*/
@@ -411,23 +411,21 @@ struct ISSUING_DIST_POINT_st
/* X509_PURPOSE stuff */
-#define EXFLAG_BCONS 0x1
-#define EXFLAG_KUSAGE 0x2
-#define EXFLAG_XKUSAGE 0x4
-#define EXFLAG_NSCERT 0x8
-
-#define EXFLAG_CA 0x10
-/* Really self issued not necessarily self signed */
-#define EXFLAG_SI 0x20
-#define EXFLAG_SS 0x20
-#define EXFLAG_V1 0x40
-#define EXFLAG_INVALID 0x80
-#define EXFLAG_SET 0x100
-#define EXFLAG_CRITICAL 0x200
-#define EXFLAG_PROXY 0x400
-
-#define EXFLAG_INVALID_POLICY 0x800
+#define EXFLAG_BCONS 0x0001
+#define EXFLAG_KUSAGE 0x0002
+#define EXFLAG_XKUSAGE 0x0004
+#define EXFLAG_NSCERT 0x0008
+
+#define EXFLAG_CA 0x0010
+#define EXFLAG_SI 0x0020 /* Self issued. */
+#define EXFLAG_V1 0x0040
+#define EXFLAG_INVALID 0x0080
+#define EXFLAG_SET 0x0100
+#define EXFLAG_CRITICAL 0x0200
+#define EXFLAG_PROXY 0x0400
+#define EXFLAG_INVALID_POLICY 0x0800
#define EXFLAG_FRESHEST 0x1000
+#define EXFLAG_SS 0x2000 /* Self signed. */
#define KU_DIGITAL_SIGNATURE 0x0080
#define KU_NON_REPUDIATION 0x0040