• Registered: 2017-05-12
  • Posts: 2

Topic: BasicConstraints pathLenConstraint validation

Hi,

I was trying to connect to https://content.uplynk.com/ with wolfSSL but failed with error 

ASN_PATHLEN_INV_E   = -238,  /* ASN CA path length inversion error */

After some debugging I found that it fails in following check
https://github.com/wolfSSL/wolfssl/blob … sn.c#L6046

    if (cert->pathLengthSet &&
        cert->pathLength >= cert->ca->pathLength) {

        WOLFSSL_MSG("CA signing CA with longer path length");
        return ASN_PATHLEN_INV_E;
    }

In my case both cert->pathLength and cert->ca->pathLength are equal to 3

Baltimore CyberTrust Root issues certificate to Verizon Public SureServer CA G14-SHA2
Verizon issues certificate to *.uplynk.com
Baltimore CyberTrust Root sets pathLenConstraint to 3.

Is it correct that it fails and why?

I do not fully understand requirements of Basic Constraints section in RFC 5280
https://tools.ietf.org/html/rfc5280#section-4.2.1.9

Shouldn't  the check be just greater and not greater or equal?

Thanks in advance

Share

  • From: Bozeman
  • Registered: 2014-05-09
  • Posts: 777

Re: BasicConstraints pathLenConstraint validation

Hi oigor,

It does seem like the logic should be only "greater than" following my initial review. I want to spend a little more time checking one thing, but wanted to get you an update. I will let you know when I have completed a more in-depth review of the other code segments surrounding this condition.

If possible could you provide us the test certificates you are using so we might reproduce the issue on our end and create a test case for this scenario in all our future release cycles?


Warm Regards,

Kaleb

Kaleb J. Himes's Website

Share

  • Registered: 2017-05-12
  • Posts: 2

Re: BasicConstraints pathLenConstraint validation

Hi Kaleb,

Thank you for quick reply.

Actually I am using curl configured to use wolfssl.
So my case is simply calling 

curl -v https://content.uplynk.com/

The page can also be accessed trough any browser.
Server does not require client authentication. And Baltimore CyberTrust Root certificate is installed in any Ubuntu or Windows OS.

-----BEGIN CERTIFICATE-----
MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX
DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y
ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy
VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr
mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr
IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK
mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu
XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy
dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye
jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1
BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3
DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92
9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx
jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0
Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz
ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp
-----END CERTIFICATE-----

Kind Regards,
Igor

Share