It was reported that X509_check_issued() did only check check the X509 Key Usage field for KU_KEY_CERT_SIGN but not the BasicConstraints field for CA:true. The missing check can cause X509_verify_cert() to pick up an invalid trust anchor when X509_V_FLAG_TRUSTED_FIRST is set.
Created attachment 1118829 [details] Proposed patch
Created attachment 1127338 [details] Proposed upstream patch 1
Created attachment 1127339 [details] Proposed upstream patch 2
Created attachment 1127340 [details] Proposed upstream patch 3
Created attachment 1127341 [details] Proposed upstream patch 4
Upstream patch applied to openssl/master: https://github.com/openssl/openssl/commit/3342dcea7a633e579e1971dfd16ff3fc14dc3936 https://github.com/openssl/openssl/commit/33cc5dde478ba5ad79f8fd4acd8737f0e60e236e