Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Verification with a Root without name constraints fails #208

Open
ghost opened this issue Apr 7, 2021 · 0 comments
Open

Verification with a Root without name constraints fails #208

ghost opened this issue Apr 7, 2021 · 0 comments

Comments

@ghost
Copy link

ghost commented Apr 7, 2021

Certificate details

foo.cfg:

[req]
default_bits = 4096
prompt = no
default_md = sha256
distinguished_name = dn
x509_extensions = v3_ca

[v3_ca]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always
basicConstraints=critical,CA:true,pathlen:1
keyUsage=critical,keyCertSign,cRLSign

[dn]
C=DE
ST=Test
L=Test
O=Test
OU=Test
CN=Test
openssl req -out foo.pem -keyout foo.key -newkey rsa:4096 -sha256 -new -batch -x509 -days 123 -config foo.cfg
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            4f:4e:fd:01:74:e4:b1:93:76:6a:11:d1:c2:82:d4:03:90:57:c8:3e
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = DE, ST = Test, L = Test, O = Test, OU = Test, CN = Test
        Validity
            Not Before: Apr  7 11:27:49 2021 GMT
            Not After : Aug  8 11:27:49 2021 GMT
        Subject: C = DE, ST = Test, L = Test, O = Test, OU = Test, CN = Test
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    00:b3:ca:0b:da:13:00:82:2c:91:19:7d:9d:42:94:
                    e3:be:f6:de:8f:f3:42:a9:58:05:2b:8b:5c:76:59:
                    5a:05:4c:b7:a3:36:83:62:99:eb:13:e0:78:19:5c:
                    30:86:a8:62:a5:b8:37:a4:4e:8c:54:79:66:7b:ec:
                    25:c0:5f:e5:40:39:27:af:15:7f:60:79:dd:b9:c3:
                    84:d5:ad:86:29:15:fa:f7:70:e1:f0:4b:7a:ee:9a:
                    92:a9:9a:4d:31:5b:57:54:1d:7f:ea:58:12:47:11:
                    f4:9e:ea:b9:ba:df:5f:c4:8f:b4:21:de:49:7d:e4:
                    cb:53:53:59:ce:95:82:f5:2d:52:55:e6:45:e5:c5:
                    7a:1f:47:ee:b2:6a:1d:77:14:e7:60:6f:96:63:e1:
                    2e:e4:a5:a5:2d:cd:3b:1e:63:ca:b5:34:6d:d6:f0:
                    78:05:f6:d6:ce:46:9a:f9:40:a0:b8:42:6d:da:a0:
                    a5:ef:ae:e9:75:31:ea:3f:50:3c:3a:2a:51:d8:8e:
                    e5:fe:fc:cf:54:c3:70:56:88:0d:d9:30:0c:7d:ed:
                    90:01:9b:7b:53:be:36:09:c6:46:d5:d7:87:0e:64:
                    cb:d8:7c:04:82:19:ed:8a:dc:0a:53:b5:87:66:94:
                    b9:ae:2f:91:83:af:b1:5b:21:af:66:07:bf:fd:9a:
                    e0:30:dd:fe:bc:21:3d:0f:0e:b7:66:37:cb:09:ef:
                    f4:33:d9:e2:5b:0f:d4:a2:b6:16:b5:e8:38:d1:44:
                    8c:ab:62:4b:d2:48:c7:19:d5:e9:c9:3a:59:10:a3:
                    3a:ad:bc:4d:1e:37:6b:26:6f:9f:1c:95:bc:32:34:
                    7a:e2:6f:a2:8e:0f:f2:3e:55:d0:87:80:a8:6c:98:
                    07:15:c0:d4:04:34:a5:da:bf:88:01:61:2e:93:7a:
                    75:b4:8b:06:5b:26:76:aa:7a:4f:1e:41:fa:d9:98:
                    55:53:f9:da:6e:cd:cc:11:4d:13:c5:f8:fd:01:40:
                    01:b2:37:1d:b8:8d:69:64:e2:5f:e1:1c:72:aa:03:
                    2e:9d:da:68:38:f0:f4:3d:55:5f:32:3c:d5:07:68:
                    ed:fa:96:6e:e2:a6:0e:13:5b:f6:5b:68:20:69:68:
                    73:bb:29:63:b0:f1:ce:ce:a2:53:38:27:86:c2:5f:
                    3e:36:db:e0:7b:47:ac:fb:3b:f0:22:47:a0:65:e4:
                    0c:af:84:a9:5e:a0:0f:be:08:a0:92:31:c5:7b:dc:
                    b6:b6:61:88:c2:24:c4:a8:8a:7c:b3:c6:31:b6:33:
                    28:c1:ec:4c:2b:77:1e:f0:80:55:99:c9:af:23:5c:
                    32:d2:9d:b5:76:fe:dd:37:7e:86:97:96:7c:29:39:
                    24:f0:cd
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                82:43:1E:87:73:2B:5C:92:9F:BA:10:2C:94:63:5A:E1:98:02:06:47
            X509v3 Authority Key Identifier:
                keyid:82:43:1E:87:73:2B:5C:92:9F:BA:10:2C:94:63:5A:E1:98:02:06:47

            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:1
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
         09:5f:76:b0:35:b5:cd:60:2c:38:1f:38:91:97:e5:2b:90:d6:
         e7:36:e7:04:5f:f6:9f:9a:d2:51:59:79:93:6c:56:42:fc:7f:
         b4:c1:a0:74:23:d1:55:fe:c9:fc:81:53:58:d6:0e:09:74:9e:
         4a:01:a6:ce:eb:db:60:c3:d7:63:3b:73:0c:4e:ed:c7:0b:2c:
         a7:7c:f0:f2:d6:48:e4:2a:9b:48:d4:23:ca:2e:bc:fb:c6:73:
         e9:cf:60:9b:77:7a:77:41:b6:6a:80:77:69:44:04:77:8a:9f:
         1f:51:c3:36:11:4a:94:35:93:6a:15:c8:e7:c6:91:c1:64:1f:
         ea:9c:d1:47:5b:66:40:fc:74:e9:47:f9:d2:78:f0:9d:9c:4e:
         70:fa:7e:c6:46:d0:31:cc:b7:1e:0b:95:6c:1a:87:10:77:ea:
         2f:fb:ca:f9:ec:c3:e4:5b:2b:95:f1:c0:90:82:0f:98:0f:34:
         b6:b7:22:09:60:da:fb:d9:17:ea:0b:60:eb:96:e2:30:83:a4:
         30:6d:b5:7b:f2:b4:e8:42:ab:4d:6b:a1:ab:d2:32:ea:44:9b:
         68:29:01:e8:b8:37:d6:a3:16:4a:5f:0e:de:ef:54:7d:2d:ef:
         35:26:af:25:ce:c4:cf:0e:04:82:48:06:56:59:7a:85:1a:28:
         19:62:6a:c5:05:58:1a:9c:81:63:30:7e:ce:8f:d9:1a:bb:aa:
         2f:7d:98:56:bb:00:07:c1:d8:4f:04:8e:b8:d0:55:65:01:f6:
         82:73:79:90:20:29:49:de:47:37:ee:45:6f:b1:c7:51:b7:56:
         d1:f5:4a:a8:9b:35:c7:4c:8f:3f:30:12:a1:62:28:b2:62:f6:
         2e:99:14:89:31:0a:85:8f:41:7c:d9:96:74:41:fd:08:7c:34:
         3d:f5:28:cb:09:af:d0:60:73:0a:cd:58:03:51:b8:9d:6c:28:
         57:0c:d6:55:21:07:c1:4b:9f:4b:b6:07:ac:a8:86:69:85:7c:
         7a:c2:c6:ad:8d:c2:21:42:c7:52:f3:a6:40:cd:1d:90:49:1e:
         d2:44:83:f5:c1:8d:b8:59:4a:16:ac:44:62:e5:fc:fe:cd:95:
         bf:65:99:bf:21:3b:70:84:19:09:88:9e:77:a6:db:d8:d3:cb:
         4c:9c:53:41:a2:b2:e5:f9:e0:81:52:1a:7b:d4:10:d9:63:97:
         22:93:b8:25:7a:22:a7:98:6e:ad:33:e1:2a:d2:97:25:42:26:
         76:99:2f:c2:da:2a:a0:24:73:5f:6a:0d:c7:67:9b:6b:45:fa:
         56:25:e8:6e:d2:bc:eb:ae:a2:f2:bb:20:76:e6:29:99:a9:84:
         d9:13:19:e7:3c:da:52:28
-----BEGIN CERTIFICATE-----
MIIFpDCCA4ygAwIBAgIUT079AXTksZN2ahHRwoLUA5BXyD4wDQYJKoZIhvcNAQEL
BQAwWDELMAkGA1UEBhMCREUxDTALBgNVBAgMBFRlc3QxDTALBgNVBAcMBFRlc3Qx
DTALBgNVBAoMBFRlc3QxDTALBgNVBAsMBFRlc3QxDTALBgNVBAMMBFRlc3QwHhcN
MjEwNDA3MTEyNzQ5WhcNMjEwODA4MTEyNzQ5WjBYMQswCQYDVQQGEwJERTENMAsG
A1UECAwEVGVzdDENMAsGA1UEBwwEVGVzdDENMAsGA1UECgwEVGVzdDENMAsGA1UE
CwwEVGVzdDENMAsGA1UEAwwEVGVzdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC
AgoCggIBALPKC9oTAIIskRl9nUKU47723o/zQqlYBSuLXHZZWgVMt6M2g2KZ6xPg
eBlcMIaoYqW4N6ROjFR5ZnvsJcBf5UA5J68Vf2B53bnDhNWthikV+vdw4fBLeu6a
kqmaTTFbV1Qdf+pYEkcR9J7qubrfX8SPtCHeSX3ky1NTWc6VgvUtUlXmReXFeh9H
7rJqHXcU52BvlmPhLuSlpS3NOx5jyrU0bdbweAX21s5GmvlAoLhCbdqgpe+u6XUx
6j9QPDoqUdiO5f78z1TDcFaIDdkwDH3tkAGbe1O+NgnGRtXXhw5ky9h8BIIZ7Yrc
ClO1h2aUua4vkYOvsVshr2YHv/2a4DDd/rwhPQ8Ot2Y3ywnv9DPZ4lsP1KK2FrXo
ONFEjKtiS9JIxxnV6ck6WRCjOq28TR43ayZvnxyVvDI0euJvoo4P8j5V0IeAqGyY
BxXA1AQ0pdq/iAFhLpN6dbSLBlsmdqp6Tx5B+tmYVVP52m7NzBFNE8X4/QFAAbI3
HbiNaWTiX+EccqoDLp3aaDjw9D1VXzI81Qdo7fqWbuKmDhNb9ltoIGloc7spY7Dx
zs6iUzgnhsJfPjbb4HtHrPs78CJHoGXkDK+EqV6gD74IoJIxxXvctrZhiMIkxKiK
fLPGMbYzKMHsTCt3HvCAVZnJryNcMtKdtXb+3Td+hpeWfCk5JPDNAgMBAAGjZjBk
MB0GA1UdDgQWBBSCQx6Hcytckp+6ECyUY1rhmAIGRzAfBgNVHSMEGDAWgBSCQx6H
cytckp+6ECyUY1rhmAIGRzASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQE
AwIBBjANBgkqhkiG9w0BAQsFAAOCAgEACV92sDW1zWAsOB84kZflK5DW5zbnBF/2
n5rSUVl5k2xWQvx/tMGgdCPRVf7J/IFTWNYOCXSeSgGmzuvbYMPXYztzDE7txwss
p3zw8tZI5CqbSNQjyi68+8Zz6c9gm3d6d0G2aoB3aUQEd4qfH1HDNhFKlDWTahXI
58aRwWQf6pzRR1tmQPx06Uf50njwnZxOcPp+xkbQMcy3HguVbBqHEHfqL/vK+ezD
5FsrlfHAkIIPmA80trciCWDa+9kX6gtg65biMIOkMG21e/K06EKrTWuhq9Iy6kSb
aCkB6Lg31qMWSl8O3u9UfS3vNSavJc7Ezw4EgkgGVll6hRooGWJqxQVYGpyBYzB+
zo/ZGruqL32YVrsAB8HYTwSOuNBVZQH2gnN5kCApSd5HN+5Fb7HHUbdW0fVKqJs1
x0yPPzASoWIosmL2LpkUiTEKhY9BfNmWdEH9CHw0PfUoywmv0GBzCs1YA1G4nWwo
VwzWVSEHwUufS7YHrKiGaYV8esLGrY3CIULHUvOmQM0dkEke0kSD9cGNuFlKFqxE
YuX8/s2Vv2WZvyE7cIQZCYied6bb2NPLTJxTQaKy5fnggVIae9QQ2WOXIpO4JXoi
p5hurTPhKtKXJUImdpkvwtoqoCRzX2oNx2eba0X6ViXobtK8666i8rsgduYpmamE
2RMZ5zzaUig=
-----END CERTIFICATE-----

The name::check_name_constraints function call here fails on a newly generated root certificate, thus it can not be used to build a trust chain and a call to verify_tls_client_cert() returns Err(Error::UnknownIssuer).

For demonstration purposes, the following change makes it succeed:

diff --git a/src/name.rs b/src/name.rs
index 24cb69f..314ea2a 100644
--- a/src/name.rs
+++ b/src/name.rs
@@ -173,8 +173,8 @@ pub fn check_name_constraints(
         }
         let subtrees = der::nested(inner, subtrees_tag, Error::BadDER, |tagged| {
             der::expect_tag_and_get_value(tagged, der::Tag::Sequence)
-        })?;
-        Ok(Some(subtrees))
+        });
+        Ok(subtrees.ok())
     }

     let permitted_subtrees = parse_subtrees(input, der::Tag::ContextSpecificConstructed0)?;

ghost pushed a commit to nyantec/webpki that referenced this issue Apr 8, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

0 participants