Fix name constraint application

A name constraint on an intermediate certificate should not constraint the intermediate itself, but only the subordinate certificates. Fixes GH #2737
author: Jack Lloyd <[email protected]> 2021-05-08 12:18:13 -0400
committer: Jack Lloyd <[email protected]> 2021-05-08 12:24:40 -0400
commit: 2c59a60f878ebe8818f32d15652360987945d8d4 (patch)
tree: 67e56d3f7b35691583e6cfbc8c15e8dc5baacd4b
parent: ef372a35d7dbbfa574650b9a275e1d9e61cbfdc9 (diff)
5 files changed, 135 insertions, 6 deletions
diff --git a/src/lib/x509/x509_ext.cpp b/src/lib/x509/x509_ext.cpp
index 123f48d99..c811ba6c9 100644
--- a/src/lib/x509/x509_ext.cpp
+++ b/src/lib/x509/x509_ext.cpp
@@ -563,14 +563,9 @@ void Name_Constraints::validate(const X509_Certificate& subject, const X509_Cert
       const bool issuer_name_constraint_critical =
          issuer.is_critical("X509v3.NameConstraints");
 
-      const bool at_self_signed_root = (pos == cert_path.size() - 1);
-
       // Check that all subordinate certs pass the name constraint
-      for(size_t j = 0; j <= pos; ++j)
+      for(size_t j = 0; j < pos; ++j)
          {
-         if(pos == j && at_self_signed_root)
-            continue;
-
          bool permitted = m_name_constraints.permitted().empty();
          bool failed = false;
 
diff --git a/src/tests/data/x509/misc/nc_skip_self/int.pem b/src/tests/data/x509/misc/nc_skip_self/int.pem
new file mode 100644
index 000000000..209bda324
--- /dev/null
+++ b/src/tests/data/x509/misc/nc_skip_self/int.pem
@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFLjCCAxagAwIBAgIBATANBgkqhkiG9w0BAQsFADAzMQswCQYDVQQGEwJDWjEP
+MA0GA1UEBwwGUHJhZ3VlMRMwEQYDVQQKDApUZXN0Um9vdENBMB4XDTIxMDUwNDEw
+NDY0MVoXDTIyMDUwNDEwNDY0MVowOzELMAkGA1UEBhMCQ1oxDzANBgNVBAcMBlBy
+YWd1ZTEbMBkGA1UECgwSVGVzdEludGVybWVkaWF0ZUNBMIICIjANBgkqhkiG9w0B
+AQEFAAOCAg8AMIICCgKCAgEA03ZbIxKV+vGe2Uo/052UEarHfylH0eHbFXcedfb/
+Py8y7+cIz4ZtsLoo2XRMoLVvnJglOcSPR72riLknrQ6jo8hktdAr+8JntmasnkR7
+xJBafk8xZZzvRQ/DwNEzq9uASRWrLJpmPP7+SinQWUa8n5dZ+cdCJoLhocPBxvd4
+ZxbyFsiQ9ttjJm8cF8VJN1KM4lpRweNZJdxuezdVxUzEV1dpr5QyY8cQWStJBzP1
+nKpXm9D3vawuOfP1hJ6QYET7pIvpzNuRW5pEnSjegoDieTFxp7cz2giGAE/uKe3L
+P45xT6IrH+oaHYiMEla1mwW1i5NJKNpPVqI7LLjVPSsqCRRjsgQrFuDxkX88UjsM
+f0F1/YY/xwppd9ha2Zv3KXsF4dDFAiLGzj3MhkXFrEvbs6cdetoDFPmrBbP7B7GY
+2HK1BuqbxmmWjLnmUoO0zX8NMIkA3PbKZEzVeUlVuoxQ8lxwLlF3zmyJna7Nyuud
+K/cW9mIhChJib++HcoHxyWPwD13aD1mnHoW4xFGCSVc48qjRQ530bKo8P6yRBSHa
+fDtcjhcTa5svGHx7uK9z/ZRI9FAIOxu+zJnOiCq7LCKIF9RiBzLuww9YpC0ZEZYu
+KMPu+/PfDVnnI4TxdKtXa7iJeJosc+SEUnzBFUa4FRlMB3GVnk7xkXQfrJ6y8XJG
+r1MCAwEAAaNFMEMwDwYDVR0TAQH/BAUwAwEB/zAwBgNVHR4BAf8EJjAkoCIwIKQe
+MBwxCzAJBgNVBAYTAkNaMQ0wCwYDVQQHDARCcm5vMA0GCSqGSIb3DQEBCwUAA4IC
+AQBjL9/LijOxwU9iJ/BV68CEpxWj0OD9qfGknnroS4XSNkgll9exqjI7WBWCyOls
+SDyN2NgFrOqRj5vh6x/UhuEjfrYoJBDgyZM0sA2ZLRd1Cnno2xlnodNHUZxeUvl4
+hm/wecmO8fN36LiZfc6PAsEJ9Z4uh/a7QHDKNpy+egenQcpM7LFjCU+bMGP8Xp/u
+l09LXmb4kqeYp9ljpf6biMPPMmORlYEtn8+C3i4AR/uWWu2eEjcrB5ImcyTnCzBu
+4Tm4qjCDo2wRbFGnm/nXyOx7C6+Ay0pNO/DWSB21qexK13mKkgB+D3G9hVH5pOIu
+elu7Zw9pl2qsTnH5iM8SHK2vZPeWPYiI68uCqAKiVRCRkt3GWVn1XH1Jff3Hyyku
+Z9KC/pSTZW3IyAxsk2wIhVHK8W95Uy0WRLvioxYvJrCGfuRG5vBE0Ix2/yRtUXGZ
+ze4+tWFRCPc7qdVURPMpwkla3U7BQoSk77q6b0crsDqs2NLPEdAOle+TdTAhXlZY
+9HNm8l/ZrXFFbJiYVT5GnMvKZxMx60u4+WKwiVa0MOrn1Cp0peMds9ab9gTtN9n+
+5CnpKYsf4OQY47PGS65Ef4q2D4h8nK0ufoDTMZyDz8BkSknztFfvSISAR942f0RD
+5CZP6FCUJ10K02umvACjXlMhJntrwXXeofs+k4W2YLVxjw==
+-----END CERTIFICATE-----
diff --git a/src/tests/data/x509/misc/nc_skip_self/leaf.pem b/src/tests/data/x509/misc/nc_skip_self/leaf.pem
new file mode 100644
index 000000000..dd1991acd
--- /dev/null
+++ b/src/tests/data/x509/misc/nc_skip_self/leaf.pem
@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE4DCCAsgCAQEwDQYJKoZIhvcNAQELBQAwOzELMAkGA1UEBhMCQ1oxDzANBgNV
+BAcMBlByYWd1ZTEbMBkGA1UECgwSVGVzdEludGVybWVkaWF0ZUNBMB4XDTIxMDUw
+NDEwNDY0MloXDTIyMDUwNDEwNDY0MlowMTELMAkGA1UEBhMCQ1oxDTALBgNVBAcM
+BEJybm8xEzARBgNVBAoMClRlc3RTZXJ2ZXIwggIiMA0GCSqGSIb3DQEBAQUAA4IC
+DwAwggIKAoICAQDNE0EdswXQphxPwaYXukZB3oIsZZ76TsRk+L2eVutpLT1L3W+Q
+0phTOmwjTguL365ZXllLN3hbPwLgjZzWG2T4sBPLGhSxkasuLk+2YrSg0Qz0iML5
+3wGQtV6KGqb/giPWTbtexelcrfL/3B3ejzIFvkuiQXxzfimNZyg3i4JVMmnKkj2A
+Kq4pcJRFx3vzkAptcnJc+UQQpjYcizjvBm3+9XALeNlEbwoj//ySP1OtrZVwpbzq
+ARGe4LjkTuBr/T9DhTEVAKW4NQGdUPJV54mkoP/hQ1G0r3qpaAC9i4UtLXCy7o63
+R0vVsIOi+JNyoxeO3XRqt0rV2U1DLwpAj0k1dhNCWQIys4Ufep4AKxGHjkYUznaA
+A27NxNSaAnc1g4rTteMkiDW+Ao32/J3NikW7sA+tOpklvrQ+jysIGkXjvVjMylsu
+BO80bhrm8JSyWuL1KPTe1nLjECewYm9TuxAyiQTglBaHoJOrfyvd5Tu9gNopIhdR
+WwXb2ajxLAqgqOhtfrV+fcvLIucP5B+dcAixdVnOFk62Vi4kyZLRgkK80JvhtdLu
+xZWiCemmTxaG/6SYvpu3QmYcY7ee8I2hG05chGyCg7Zcnf4CVasMCgfbYgkt6Tzw
+CzVZFEVDBbEjWQeEegQmVRVrfqHbmHm3ge6AyekSfAoHlv6IsRImJZta6QIDAQAB
+MA0GCSqGSIb3DQEBCwUAA4ICAQAlcVI/elokcYZg1N+WEf+9SV3XakivfHFVTf0w
+y9RlJ8HRaYN/Nnreo6RK+ps/RflNJi4+ncQazCzTOIchC2Wiaf0h3HspZ4N78j1y
+rsT6LAm+eakzazl45pqVcJQ8jeTrjqOFerK+tQd9NQbsqkzmnQ2WmpFwDXdwY/T6
+H/TpwGwUTgYK/UW9WqgWCpTNDVfU6tYTD0KrlnnnPu2vtniLD4fJq/3NaESOrMCC
+zNonH1dpIYERyu0l27rRw0zuexSyAAL0fd8OGdtpfeE7RbptCxwVmwz6/klluKOb
+8YV53T4HnwKYtLmD+UMPdWAVzj4TdOSDTuOxQhu+NwjPMYKvMF2phN4v1BpVgUuy
+m4HfuEpfHmHKsNPFJWZ9E28bbUJ39+LtARf3pqUL66V3CAlNodi6tpWqz4b3nPo+
+JznOox/ujntISe1ziNL6lHdGUFn9QaLQiXyIYZLNqheJ2GX4cHnKfzZxp/KqRBRA
+Z/kUtHSAyL/LSJ3fAHxRdGmSiBP37PmDw7i11w9kd4EPK2EkiqZtmiQtDrsOQfh1
+0SeP4DHf3n7VoyGBDfpiC1WFnSafbMG+tOl7QuRX4RCJrVQWjFT73q0MCciryK7Z
+TsUM+yHjDZY33k/kvevptczjWk1dxQ5Napr4ayW4jWvdWV55/lLYmhC8JP6La+1h
+j50djA==
+-----END CERTIFICATE-----
diff --git a/src/tests/data/x509/misc/nc_skip_self/root.pem b/src/tests/data/x509/misc/nc_skip_self/root.pem
new file mode 100644
index 000000000..27f99ee35
--- /dev/null
+++ b/src/tests/data/x509/misc/nc_skip_self/root.pem
@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIFBzCCAu+gAwIBAgIUF/jloc5zNYR3gyPGyMfuC4Qf5cEwDQYJKoZIhvcNAQEL
+BQAwMzELMAkGA1UEBhMCQ1oxDzANBgNVBAcMBlByYWd1ZTETMBEGA1UECgwKVGVz
+dFJvb3RDQTAeFw0yMTA1MDQxMDQ2MzhaFw0yMjA1MDQxMDQ2MzhaMDMxCzAJBgNV
+BAYTAkNaMQ8wDQYDVQQHDAZQcmFndWUxEzARBgNVBAoMClRlc3RSb290Q0EwggIi
+MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDSmObXNfY3NDTfYwTykRtTaJs9
+tw4qqw6oXQc5FSK7Itwo90i7VjyTa+yVWulRGyqeSGanqvbZeSuF6ZB4tVmTi+gH
+HlxBnT0zamYNdR4Yo5OzhXGyuaXuACTCj5N0OtMTjlOS0qsxTnsD8lgUHY0dUWpq
+e2JsduiS+fXuE6tde0IAH3Rr47gTHPlXsAYl2T48s+3pv9MY5MGSSusakDXqjdLB
+mnfhoOCfbBWm61GNHBfVVFx6MAEAM8r6fTR0OZxynhcocT5yAbrKz72jLtT+savO
+5ehq1vawpsgX3CmS4WmClnVEoOPh80a1F1aAr4bvcK2GmFLiBLIKZpGAiQLZe1QE
+9Y/Q361zmY9ghQOldTFi7ZK3Bx8B/3hBS+1lQFrw+NlOqqkf3RruDfz04SRZYlKx
+HrY1DEBcPDRYPEmA4QyGm079Pi+IoZzj2ZGUAegBPhd3wG9qeDoM9lB7wdCq3C9V
+j4QQIzcfuecGTEbXD4n6r5gMhW+64LVZ2mDHf3sntc1wO/weBqpGYeX6s3pFIEvR
+f1meuMEploIRYcT0wdIVld0p2nJQXZV2pxNcZ9SWns9AFEvdjb8VMQsuSjit6qxP
+pMarNHkl0a3X7QWUwuWQz6hU7aIDCrXzmk9+ZDs8U5lQaSldyBdAsFMtHTX5s7PH
+VDFg/DHzUW2pk1lNvQIDAQABoxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
+DQEBCwUAA4ICAQDIMLGZgY7TC6rY0zV+MXVC873zz03A58Bd6osCBxrCkIn3aG5h
+4OJ5s6+KmvzhXcb5TnPhHQso+ZCKdl4RJ3byzlH1gPhK+fPFIcivL3L/5P9OvdYQ
+CXPK4vs9sH99YRWM6DsaO4GY9gg/g0gv7VSS4J91d6Mo6G1kQWer+h2YyJH2lO1T
+2CnWYEto0KqztSixDrcBzSpAjvsZfzLNQJlp1IOoRTWgNyWGBztV6blEFu309M7U
+05M+HiZQPu5q0/HQjXy2+uwzcasc3+YD6F/fdFuyCVLa8Bh10PG2mSG98j5QaSw2
+J6z+g4Mb0AgzzcjYRTIMt8ghMYyjstVjzK4UqXlL9/T4xKehFZcc/GQ+5xO/XdI1
+zCSe10+crNiuETRPArE2P5NvqHXKkcuSv7iuFmzc+VJC6Lj3t1sMUIKMCLrQYgXT
+HL91GxX3AhWoLqobr9s4y14oP1CG/TqxQMdXqs7NAs+dJYcY9waFPlgMxzrVKcy3
+Z3thAcqBC6xDr8Ctx7uX7zqdNXZQfGnz2wVW/GSDFpvmmqWnwHiqABkEPMvzmNb/
+OCcmRc45PclyhLc/aMudJTsB36e9Tt/UCWe+iDorsizY4u4Fe+4ujlkyQWgYfvUl
+txvJF3BvCIHwTlFAECgg6Je5qu6yWu4T+P4zPhWj1RaYA1i7cuXTXwKKKg==
+-----END CERTIFICATE-----
diff --git a/src/tests/test_x509_path.cpp b/src/tests/test_x509_path.cpp
index ef6be2219..e777f85fe 100644
--- a/src/tests/test_x509_path.cpp
+++ b/src/tests/test_x509_path.cpp
@@ -689,6 +689,52 @@ std::vector<Test::Result> Validate_Name_Constraint_CaseInsensitive::run()
 
 BOTAN_REGISTER_TEST("x509", "x509_name_constraint_ci", Validate_Name_Constraint_CaseInsensitive);
 
+class Validate_Name_Constraint_NoCheckSelf final : public Test
+   {
+   public:
+      std::vector<Test::Result> run() override;
+   };
+
+std::vector<Test::Result> Validate_Name_Constraint_NoCheckSelf::run()
+   {
+   if(Botan::has_filesystem_impl() == false)
+      {
+      return {Test::Result::Note("Path validation",
+                                 "Skipping due to missing filesystem access")};
+      }
+
+   std::vector<Test::Result> results;
+
+   const std::string root_crt = Test::data_file("/x509/misc/nc_skip_self/root.pem");
+   const std::string int_crt  = Test::data_file("/x509/misc/nc_skip_self/int.pem");
+   const std::string ee_crt   = Test::data_file("/x509/misc/nc_skip_self/leaf.pem");
+
+   auto validation_time =
+      Botan::calendar_point(2021, 5, 8, 1, 0, 0).to_std_timepoint();
+
+   Botan::X509_Certificate root(root_crt);
+   Botan::X509_Certificate intermediate(int_crt);
+   Botan::X509_Certificate ee_cert(ee_crt);
+
+   Botan::Certificate_Store_In_Memory trusted;
+   trusted.add_certificate(root);
+
+   std::vector<Botan::X509_Certificate> chain = { ee_cert, intermediate };
+
+   Botan::Path_Validation_Restrictions restrictions;
+   Botan::Path_Validation_Result validation_result =
+      Botan::x509_path_validate(chain, restrictions, trusted, "",
+                                Botan::Usage_Type::UNSPECIFIED, validation_time);
+
+   Test::Result result("Name constraints do not apply to the certificate which includes them");
+   result.test_eq("Path validation succeeded",
+                  validation_result.successful_validation(), true);
+
+   return {result};
+   }
+
+BOTAN_REGISTER_TEST("x509", "x509_name_constraint_no_check_self", Validate_Name_Constraint_NoCheckSelf);
+
 class BSI_Path_Validation_Tests final : public Test
 
    {
author	Jack Lloyd <[email protected]>	2021-05-08 12:18:13 -0400
committer	Jack Lloyd <[email protected]>	2021-05-08 12:24:40 -0400
commit	2c59a60f878ebe8818f32d15652360987945d8d4 (patch)
tree	67e56d3f7b35691583e6cfbc8c15e8dc5baacd4b
parent	ef372a35d7dbbfa574650b9a275e1d9e61cbfdc9 (diff)