fix pathLenConstraint validation

Fixes GH #991 The problem with the current implementation of the chain validation code is that is runs from the end certificate to the trust cert. @securitykernel and me tried to fix the pathLenConstraint validation within this reverse loop but we were not sure if we missed some edge cases. So we felt safer to use the algorithm listed in RFC 5280 which executes from the top to the bottom. It's probably best to rewrite the code to use the whole algorithm from RFC 5280, i.e. validating the chain from the trust to the end cert. Additionally, we wrote some tests including the one that raised this issue initially.
author: Daniel Neus <[email protected]> 2017-05-19 12:21:30 +0200
committer: Daniel Neus <[email protected]> 2017-05-19 12:33:03 +0200
commit: 9618c63002b2c620affea5f4475d275ce7c46643 (patch)
tree: 2fd1356654aa64d08ff2927edb6da7974ff95ab1 /src/lib/x509/x509cert.cpp
parent: 2f53dc937f33816445c7646b88e0ad826d197482 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/src/lib/x509/x509cert.cpp b/src/lib/x509/x509cert.cpp
index 512e4aa63..40bdbf477 100644
--- a/src/lib/x509/x509cert.cpp
+++ b/src/lib/x509/x509cert.cpp
@@ -334,7 +334,7 @@ bool X509_Certificate::has_ex_constraint(const std::string& ex_constraint) const
 */
 uint32_t X509_Certificate::path_limit() const
    {
-   return m_subject.get1_uint32("X509v3.BasicConstraints.path_constraint", 0);
+   return m_subject.get1_uint32("X509v3.BasicConstraints.path_constraint", Cert_Extension::NO_CERT_PATH_LIMIT);
    }
 
 /*
author	Daniel Neus <[email protected]>	2017-05-19 12:21:30 +0200
committer	Daniel Neus <[email protected]>	2017-05-19 12:33:03 +0200
commit	9618c63002b2c620affea5f4475d275ce7c46643 (patch)
tree	2fd1356654aa64d08ff2927edb6da7974ff95ab1 /src/lib/x509/x509cert.cpp
parent	2f53dc937f33816445c7646b88e0ad826d197482 (diff)