The following test case attempts to validates evilserver.pem, issued
by evilca.pem.
evil*.pem is violating:
1/ pathlen=0 constraint of the compromised intermediate.pem (issuer of
evilserver.pem)
2/ pathlen=1 constraint of the non-compromised root-ca.pem (issuer of
intermediate.pem)
The particular
Hi Dave,
Thank you for your answer.
Cordialement,
*Benjamin Dupalut*
Ingénieur système et réseau
Service Informatique, Télécommunications, Audiovisuel et Reprographie
(SITAR)
ESIEE Paris
2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex
T : +33 1 45 92 66 17
benjamin.dupa...@esiee.fr
www.esiee.fr
On Wed, Oct 03, 2018 at 02:51:57PM +0200, Peter Magnusson wrote:
> $ openssl verify -verbose -CAfile root.pem -untrusted intermediate.pem
> evil.pem
> evil.pem: OK
This is expected to work when intermediate.pem has pathlen 0, because
you're verifying "evil.pem" as a *leaf* certificate, its CA:tr
Hi,
It is my understanding "openssl verify" should raise
X509_V_ERR_PATH_LENGTH_EXCEEDED should be raised if pathlen=0
intermediate issues a new CA, but that does not seem to occur when I
test with a couple pf openssl versions.
I am not sure due to limited understanding of the code, but I am
wonde
