feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Fixes issue with CA path length basic constraint checking for self signed root CA's. ZD 4863

Browse Source
This commit is contained in:
David Garske
2019-03-04 11:27:51 -08:00
parent da27a4da10
commit 980970da86
3 changed files with 14 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
src/ssl.c
View File

@@ -4218,6 +4218,7 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
} }
signer->pathLength = cert->pathLength; signer->pathLength = cert->pathLength;
signer->pathLengthSet = cert->pathLengthSet; signer->pathLengthSet = cert->pathLengthSet;
signer->selfSigned = cert->selfSigned;
#ifndef IGNORE_NAME_CONSTRAINTS #ifndef IGNORE_NAME_CONSTRAINTS
signer->permittedNames = cert->permittedNames; signer->permittedNames = cert->permittedNames;
signer->excludedNames = cert->excludedNames; signer->excludedNames = cert->excludedNames;

16
wolfcrypt/src/asn.c
View File

@@ -8099,16 +8099,22 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
WOLFSSL_MSG("About to verify certificate signature"); WOLFSSL_MSG("About to verify certificate signature");
if (cert->ca) { if (cert->ca) {
/* Check if cert is CA type and has path length set */ /* Check if cert is CA type and signer has path length set */
if (cert->isCA && cert->ca->pathLengthSet) { if (cert->isCA && cert->ca->pathLengthSet) {
/* Check root CA (self-signed) has path length > 0 */ /* Check if signer is root CA (self-signed) */
if (cert->selfSigned) { if (cert->ca->selfSigned) {
if (cert->ca->pathLength != 0) { /* Root CA as signer:
WOLFSSL_MSG("Root CA with path length > 0"); * Must have path length > 0 to sign another CA
* If path length == 0 can only sign an end entity
* certificate, not intermediate CA
*/
if (cert->ca->pathLength == 0) {
WOLFSSL_MSG("Root CA with path length == 0");
return ASN_PATHLEN_INV_E; return ASN_PATHLEN_INV_E;
} }
} }
else { else {
/* Intermediate CA signing Intermediate CA */
/* Check path lengths are valid between two CA's */ /* Check path lengths are valid between two CA's */
if (cert->ca->pathLength == 0) { if (cert->ca->pathLength == 0) {
WOLFSSL_MSG("CA with path length 0 signing a CA"); WOLFSSL_MSG("CA with path length 0 signing a CA");

3
wolfssl/wolfcrypt/asn.h
View File

@@ -861,7 +861,8 @@ struct Signer {
word32 keyOID; /* key type */ word32 keyOID; /* key type */
word16 keyUsage; word16 keyUsage;
byte pathLength; byte pathLength;
byte pathLengthSet; byte pathLengthSet : 1;
byte selfSigned : 1;
const byte* publicKey; const byte* publicKey;
int nameLen; int nameLen;
char* name; /* common name */ char* name; /* common name */