x509_vfy.c: Improve key usage checks in internal_verify() of cert chains#12375
Closed
DDvO wants to merge 2 commits intoopenssl:masterfrom
Closed
x509_vfy.c: Improve key usage checks in internal_verify() of cert chains#12375DDvO wants to merge 2 commits intoopenssl:masterfrom
DDvO wants to merge 2 commits intoopenssl:masterfrom
Conversation
Closed
2 tasks
DDvO
force-pushed
the
keyUsage_checks_on_self-issued
branch
2 times, most recently
from
e656233 to
47353bb
Compare
… X509_get_serialNumber
DDvO
force-pushed
the
keyUsage_checks_on_self-issued
branch
from
47353bb to
c40ba05
Compare
If a presumably self-signed cert is last in chain we verify its signature only if X509_V_FLAG_CHECK_SS_SIGNATURE is set. Upon this request we do the signature verification, but not in case it is a (non-conforming) self-issued CA certificate with a key usage extension that does not include keyCertSign. Make clear when we must verify the signature of a certificate and when we must adhere to key usage restrictions of the 'issuing' cert. Add some comments for making internal_verify() easier to understand. Update the documentation of X509_V_FLAG_CHECK_SS_SIGNATURE accordingly.
DDvO
force-pushed
the
keyUsage_checks_on_self-issued
branch
from
c40ba05 to
1ddd1d7
Compare
t8m
reviewed
Jul 14, 2020
t8m
added
approval: done
openssl-machine
pushed a commit
that referenced
this pull request
Jul 16, 2020
… X509_get_serialNumber Reviewed-by: Tomas Mraz <[email protected]> (Merged from #12375)
openssl-machine
pushed a commit
that referenced
this pull request
Jul 16, 2020
If a presumably self-signed cert is last in chain we verify its signature only if X509_V_FLAG_CHECK_SS_SIGNATURE is set. Upon this request we do the signature verification, but not in case it is a (non-conforming) self-issued CA certificate with a key usage extension that does not include keyCertSign. Make clear when we must verify the signature of a certificate and when we must adhere to key usage restrictions of the 'issuing' cert. Add some comments for making internal_verify() easier to understand. Update the documentation of X509_V_FLAG_CHECK_SS_SIGNATURE accordingly. Reviewed-by: Tomas Mraz <[email protected]> (Merged from #12375)
Contributor
Author
|
Merged - thanks again for the quick handling! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is the 'forward-port' I'm proposing as by-product of the backport done in #12357.
See the discussion thread there starting with #12357 (review).
If a presumably self-signed cert is last in chain we verify its signature
only if X509_V_FLAG_CHECK_SS_SIGNATURE is set. Upon this request we do the
signature verification, but not in case it is a (non-conforming) self-issued
CA certificate with a key usage extension that does not include keyCertSign.
Make clear when we must verify the signature of a certificate
and when we must adhere to key usage restrictions of the 'issuing' cert.
Add some comments for making
internal_verify()easier to understand.Update the documentation of
X509_V_FLAG_CHECK_SS_SIGNATUREaccordingly.Constify
X509_check_akid()and prefer usingX509_get0_serialNumber()overX509_get_serialNumber().