[botan-devel] Basic Constraints Pathlen Constraint

René Korthaus r.korthaus at sirrix.com
Mon Apr 3 12:02:46 EDT 2017


Thanks for the bug report. You seem to be right, I can reproduce the
issue with a simple chain:

EE
  IntCA
    RootCA   pathLenConstraint = 1

which returns "Certificate did not validate - Certificate chain too
long" when running ./botan cert_verify ee.crt int.crt root.crt.

However, while your proposed fix works for this chain, it fails for
others. Run botan-test x509_test_x509test and x509_test_nist and you'll
see invalid chains incorrectly accepted where CERT_CHAIN_TOO_LONG was
expected, for example:

EE
  Lev3CA
    Lev2CA   pathLenConstraint = 1
      Lev1CA   pathLenConstraint = 1
        Root

When reaching Lev2CA, 2 < 2 will evaluate to false and thus then chain
will validate correctly.

I also tried adopting the algorithm listed in RFC 5280, but can't get it
to work, other tests fail. In part this seems not to work because Botan
uses zero as the default value for pathLenConstraint on end entity
certificates internally.

Am 31.03.2017 um 16:28 schrieb Falko Strenzke:
> Hi,
> 
> during some tests with X.509 verification the following error showed up
> in Botan 2.0.1:
> 
>  x509path.cpp:
>   83       if(issuer->path_limit() <
> i)                                                                                                    
> 
>   84         
> status.insert(Certificate_Status_Code::CERT_CHAIN_TOO_LONG);          
> 
> This is incorrect since it includes the target certificate, i.e. the EE
> certificate, in the path length calculation. However, according to RFC
> 5280, the target certificate must not be counted here. In a chain
> TrustAnchor->SubCA->EE the variable would be 2 when reaching the
> TrustAnchor, and if it has a path length constraint of 1 the chain would
> erroneously be rejected. Correct would thus be:
> 
> 83       if(issuer->path_limit() + 1 < i)
> 84         
> status.insert(Certificate_Status_Code::CERT_CHAIN_TOO_LONG);       
> 
> Whether checking for an integer overflow is necessary here is something
> that could be asserted...
> 
> Regards,
> Falko
> -- 
> 
> cryptosource logo
> 
> Dr. Falko Strenzke
> Dipl-Phys.
> Geschäftsführer /
> Managing Director
> 
> 	cryptosource GmbH
> Pallaswiesenstr. 182
> 64293 Darmstadt
> Tel.: 	+49 (0) 6151 / 86 22 379
> Fax.: 	+49 (0) 6151 / 786 65 80
> Mobil.: 	+49 (0) 177 / 898 53 28
> 
> Email: fstrenzke at cryptosource.de <mailto:fstrenzke at cryptosource.de>
> Internet: www.cryptosource.de <http://www.cryptosource.de>
> 	Geschäftsführer: Dr. Falko Strenzke
> Unternehmenssitz: Darmstadt
> Registergericht: Amtsgericht Darmstadt
> Handelsregister-Nummer: HRB 93037
> Umsatzsteuer-ID: DE294145062
> 
> 
> 
> 
> _______________________________________________
> botan-devel mailing list
> botan-devel at randombit.net
> http://lists.randombit.net/mailman/listinfo/botan-devel
> 

-- 
René Korthaus
System Developer

Rohde & Schwarz Cybersecurity

R&S Cybersecurity Sirrix GmbH
Lise-Meitner-Allee 4, D-44801 Bochum
Phone: + 49 234 610071 163
Email: r.korthaus at sirrix.com
PGP Key ID 0x587E74D6 Fingerprint C196 FF9D 3DDC A5E7 F98C E745 9AD0
F9FA 587E 74D6
Internet: www.cybersecurity.rohde-schwarz.com

Trade register: Amtsgericht Saarbrücken HRB 103442
Executive board: Christian Stüble, Dr. Norbert Schirmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ee.crt
Type: application/pkix-cert
Size: 1119 bytes
Desc: not available
URL: <http://lists.randombit.net/pipermail/botan-devel/attachments/20170403/edc6b921/attachment.cer>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: int.crt
Type: application/pkix-cert
Size: 1082 bytes
Desc: not available
URL: <http://lists.randombit.net/pipermail/botan-devel/attachments/20170403/edc6b921/attachment-0001.cer>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: root.crt
Type: application/pkix-cert
Size: 1086 bytes
Desc: not available
URL: <http://lists.randombit.net/pipermail/botan-devel/attachments/20170403/edc6b921/attachment-0002.cer>


More information about the botan-devel mailing list