diff options
| author | Theo Buehler <tb@cvs.openbsd.org> | 2023-04-16 08:06:43 +0000 |
|---|---|---|
| committer | Theo Buehler <tb@cvs.openbsd.org> | 2023-04-16 08:06:43 +0000 |
| commit | 54064c9acb13e78017abcb0655f59a9d64579d83 (patch) | |
| tree | c3692802380d0379803d8046dc162b4361780c6c /lib/libcrypto | |
| parent | 8a72e412eed42fb1ae2aa7909736ee94c327e50d (diff) | |
More ProxyCertInfo tentacles go to the attic
This removes ProxyCertInfo from extension caching, issuer checking
and it also drops the special path validation for proxy certs from
the legacy verifier.
ok jsing
Diffstat (limited to 'lib/libcrypto')
| -rw-r--r-- | lib/libcrypto/x509/x509_purp.c | 33 | ||||
| -rw-r--r-- | lib/libcrypto/x509/x509_vfy.c | 38 |
2 files changed, 6 insertions, 65 deletions
diff --git a/lib/libcrypto/x509/x509_purp.c b/lib/libcrypto/x509/x509_purp.c index 176d9d679fe..621f6f0f901 100644 --- a/lib/libcrypto/x509/x509_purp.c +++ b/lib/libcrypto/x509/x509_purp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_purp.c,v 1.21 2023/02/16 10:18:59 tb Exp $ */ +/* $OpenBSD: x509_purp.c,v 1.22 2023/04/16 08:06:42 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2001. */ @@ -380,7 +380,6 @@ X509_supported_extension(X509_EXTENSION *ex) NID_sbgp_autonomousSysNum, /* 291 */ #endif NID_policy_constraints, /* 401 */ - NID_proxyCertInfo, /* 663 */ NID_name_constraints, /* 666 */ NID_policy_mappings, /* 747 */ NID_inhibit_any_policy /* 748 */ @@ -446,7 +445,6 @@ static void x509v3_cache_extensions_internal(X509 *x) { BASIC_CONSTRAINTS *bs; - PROXY_CERT_INFO_EXTENSION *pci; ASN1_BIT_STRING *usage; ASN1_BIT_STRING *ns; EXTENDED_KEY_USAGE *extusage; @@ -481,30 +479,6 @@ x509v3_cache_extensions_internal(X509 *x) x->ex_flags |= EXFLAG_INVALID; } - /* Handle proxy certificates */ - if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, &i, NULL))) { - if (x->ex_flags & EXFLAG_CA || - X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0 || - X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) { - x->ex_flags |= EXFLAG_INVALID; - } - if (pci->pcPathLengthConstraint) { - if (pci->pcPathLengthConstraint->type == - V_ASN1_NEG_INTEGER) { - x->ex_flags |= EXFLAG_INVALID; - x->ex_pcpathlen = 0; - } else - x->ex_pcpathlen = - ASN1_INTEGER_get(pci-> - pcPathLengthConstraint); - } else - x->ex_pcpathlen = -1; - PROXY_CERT_INFO_EXTENSION_free(pci); - x->ex_flags |= EXFLAG_PROXY; - } else if (i != -1) { - x->ex_flags |= EXFLAG_INVALID; - } - /* Handle key usage */ if ((usage = X509_get_ext_d2i(x, NID_key_usage, &i, NULL))) { if (usage->length > 0) { @@ -908,10 +882,7 @@ X509_check_issued(X509 *issuer, X509 *subject) return ret; } - if (subject->ex_flags & EXFLAG_PROXY) { - if (ku_reject(issuer, KU_DIGITAL_SIGNATURE)) - return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE; - } else if (ku_reject(issuer, KU_KEY_CERT_SIGN)) + if (ku_reject(issuer, KU_KEY_CERT_SIGN)) return X509_V_ERR_KEYUSAGE_NO_CERTSIGN; return X509_V_OK; } diff --git a/lib/libcrypto/x509/x509_vfy.c b/lib/libcrypto/x509/x509_vfy.c index 8bba7961981..8fd193699eb 100644 --- a/lib/libcrypto/x509/x509_vfy.c +++ b/lib/libcrypto/x509/x509_vfy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vfy.c,v 1.111 2023/02/16 08:38:17 tb Exp $ */ +/* $OpenBSD: x509_vfy.c,v 1.112 2023/04/16 08:06:42 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -732,7 +732,6 @@ x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx) int (*cb)(int xok, X509_STORE_CTX *xctx); int proxy_path_length = 0; int purpose; - int allow_proxy_certs; cb = ctx->verify_cb; @@ -747,14 +746,10 @@ x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx) must_be_ca = -1; /* CRL path validation */ - if (ctx->parent) { - allow_proxy_certs = 0; + if (ctx->parent) purpose = X509_PURPOSE_CRL_SIGN; - } else { - allow_proxy_certs = - !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS); + else purpose = ctx->param->purpose; - } /* Check all untrusted certificates */ for (i = 0; i < ctx->num_untrusted; i++) { @@ -769,14 +764,6 @@ x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx) if (!ok) goto end; } - if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) { - ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED; - ctx->error_depth = i; - ctx->current_cert = x; - ok = cb(0, ctx); - if (!ok) - goto end; - } ret = X509_check_ca(x); switch (must_be_ca) { case -1: @@ -838,24 +825,7 @@ x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx) /* Increment path length if not self issued */ if (!(x->ex_flags & EXFLAG_SI)) plen++; - /* If this certificate is a proxy certificate, the next - certificate must be another proxy certificate or a EE - certificate. If not, the next certificate must be a - CA certificate. */ - if (x->ex_flags & EXFLAG_PROXY) { - if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) { - ctx->error = - X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED; - ctx->error_depth = i; - ctx->current_cert = x; - ok = cb(0, ctx); - if (!ok) - goto end; - } - proxy_path_length++; - must_be_ca = 0; - } else - must_be_ca = 1; + must_be_ca = 1; } ok = 1; |