[botan-devel] Basic Constraints Pathlen Constraint

Falko Strenzke fstrenzke at cryptosource.de
Fri Mar 31 10:28:27 EDT 2017


Hi,

during some tests with X.509 verification the following error showed up
in Botan 2.0.1:

 x509path.cpp:
  83       if(issuer->path_limit() <
i)                                                                                                    

  84         
status.insert(Certificate_Status_Code::CERT_CHAIN_TOO_LONG);          

This is incorrect since it includes the target certificate, i.e. the EE
certificate, in the path length calculation. However, according to RFC
5280, the target certificate must not be counted here. In a chain
TrustAnchor->SubCA->EE the variable would be 2 when reaching the
TrustAnchor, and if it has a path length constraint of 1 the chain would
erroneously be rejected. Correct would thus be:

83       if(issuer->path_limit() + 1 < i)
84         
status.insert(Certificate_Status_Code::CERT_CHAIN_TOO_LONG);       

Whether checking for an integer overflow is necessary here is something
that could be asserted...

Regards,
Falko
-- 

cryptosource logo

Dr. Falko Strenzke
Dipl-Phys.
Geschäftsführer /
Managing Director

	cryptosource GmbH
Pallaswiesenstr. 182
64293 Darmstadt
Tel.: 	+49 (0) 6151 / 86 22 379
Fax.: 	+49 (0) 6151 / 786 65 80
Mobil.: 	+49 (0) 177 / 898 53 28

Email: fstrenzke at cryptosource.de <mailto:fstrenzke at cryptosource.de>
Internet: www.cryptosource.de <http://www.cryptosource.de>
	Geschäftsführer: Dr. Falko Strenzke
Unternehmenssitz: Darmstadt
Registergericht: Amtsgericht Darmstadt
Handelsregister-Nummer: HRB 93037
Umsatzsteuer-ID: DE294145062


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/botan-devel/attachments/20170331/a74d0254/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logo.jpg
Type: image/jpeg
Size: 9937 bytes
Desc: not available
URL: <http://lists.randombit.net/pipermail/botan-devel/attachments/20170331/a74d0254/attachment-0001.jpg>


More information about the botan-devel mailing list