1302371 – openssl: X509_check_issued() does not check BasicConstraints

Bug 1302371 - openssl: X509_check_issued() does not check BasicConstraints

Summary: openssl: X509_check_issued() does not check BasicConstraints

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1301692
TreeView+	depends on / blocked

Reported:	2016-01-27 16:05 UTC by Adam Mariš
Modified:	2021-06-01 13:03 UTC (History)
CC List:	25 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-03-24 06:45:57 UTC
Embargoed:

Attachments	(Terms of Use)
Proposed patch (1.32 KB, patch) 2016-01-27 16:07 UTC, Adam Mariš	no flags	Details \| Diff
Proposed upstream patch 1 (1.82 KB, patch) 2016-02-15 16:33 UTC, Adam Mariš	no flags	Details \| Diff
Proposed upstream patch 2 (1.84 KB, patch) 2016-02-15 16:33 UTC, Adam Mariš	no flags	Details \| Diff
Proposed upstream patch 3 (11.24 KB, patch) 2016-02-15 16:34 UTC, Adam Mariš	no flags	Details \| Diff
Proposed upstream patch 4 (6.88 KB, patch) 2016-02-15 16:34 UTC, Adam Mariš	no flags	Details \| Diff
Show Obsolete (1) View All

Description Adam Mariš 2016-01-27 16:05:12 UTC

It was reported that X509_check_issued() did only check check the X509 Key Usage field for KU_KEY_CERT_SIGN but not the BasicConstraints field for CA:true. The missing check can cause X509_verify_cert() to pick up an invalid trust anchor when X509_V_FLAG_TRUSTED_FIRST is set.

Comment 2 Adam Mariš 2016-01-27 16:07:13 UTC

Created attachment 1118829 [details]
Proposed patch

Comment 4 Adam Mariš 2016-02-15 16:33:07 UTC

Created attachment 1127338 [details]
Proposed upstream patch 1

Comment 5 Adam Mariš 2016-02-15 16:33:37 UTC

Created attachment 1127339 [details]
Proposed upstream patch 2

Comment 6 Adam Mariš 2016-02-15 16:34:18 UTC

Created attachment 1127340 [details]
Proposed upstream patch 3

Comment 7 Adam Mariš 2016-02-15 16:34:41 UTC

Created attachment 1127341 [details]
Proposed upstream patch 4

Comment 9 Huzaifa S. Sidhpurwala 2017-03-24 06:45:19 UTC

Upstream patch applied to openssl/master:

https://github.com/openssl/openssl/commit/3342dcea7a633e579e1971dfd16ff3fc14dc3936
https://github.com/openssl/openssl/commit/33cc5dde478ba5ad79f8fd4acd8737f0e60e236e

Note You need to log in before you can comment on or make changes to this bug.

bbaranow
bmaxwell
cdewolf
cheimes
csutherl
dandread
darran.lofthouse
dknox
jason.greene
jawilson
jclere
jdoyle
lgao
mbabacek
myarboro
osoukup
pgier
psakar
pslavice
rsvoboda
security-response-team
tmraz
twalsh
vtunka
weli