Ensure 'critical' basicConstraint for CA cert

Resolves: RHEL-88118 Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2025-04-22 14:58:00 -04:00 · 2025-04-22 14:58:00 -04:00 · 7f0effb035
commit 7f0effb035
parent e754c2e164
2 changed files with 45 additions and 0 deletions
--- a/0004-Ensure-critical-basicConstraint-for-CA-cert.patch
+++ b/0004-Ensure-critical-basicConstraint-for-CA-cert.patch
@ -0,0 +1,43 @@
 From 276698d206e9bad55d628eb2db8a71ba469a2eaf Mon Sep 17 00:00:00 2001
 From: Stephen Gallagher <sgallagh@redhat.com>
 Date: Tue, 22 Apr 2025 13:09:32 -0400
 Subject: [PATCH 4/4] Ensure 'critical' basicConstraint for CA cert
 Fixes: https://github.com/sgallagher/sscg/issues/74
 Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
 ---
 src/authority.c            | 3 ++-
 test/test_cert_validity.sh | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)
 diff --git a/src/authority.c b/src/authority.c
 index f509fd4316c3b7b230f99de6464491c319fc5d45..68000c5e695460abd65c9641b44c187f4aa617e3 100644
 --- a/src/authority.c
 +++ b/src/authority.c
@@ -123,7 +123,8 @@ create_private_CA (TALLOC_CTX *mem_ctx,
   sk_X509_EXTENSION_push (ca_certinfo->extensions, ex);
   /* Mark it as a CA */
 -  ex = X509V3_EXT_conf_nid (NULL, NULL, NID_basic_constraints, "CA:TRUE");
 +  ex = X509V3_EXT_conf_nid (
 +    NULL, NULL, NID_basic_constraints, "critical,CA:TRUE");
   CHECK_MEM (ex);
   sk_X509_EXTENSION_push (ca_certinfo->extensions, ex);
 diff --git a/test/test_cert_validity.sh b/test/test_cert_validity.sh
 index 1e4df5ce57a45981878cec017f710b9699b77c6a..e20e02a384156a1a481e2560308f10a82258986e 100755
 --- a/test/test_cert_validity.sh
 +++ b/test/test_cert_validity.sh
@@ -204,7 +204,7 @@ key_strength=$(openssl pkey -text -noout -in service-key.pem -passin pass:mypass
 test "$key_strength" -eq "$_arg_key_strength"
 # Validate the certificates
 -openssl verify -CAfile ca.crt service.pem
 +openssl verify -x509_strict -CAfile ca.crt service.pem
 popd # $TMPDIR
 -- 
 2.49.0
--- a/sscg.spec
+++ b/sscg.spec
@ -23,6 +23,8 @@ Patch:          0001-Extend-maximum-DNS-name-to-255.patch
 Patch:          0002-Update-README.md-with-latest-usage-information.patch
 # Set Certificate Signing Request version to 1 instead of 3(which doesn't exist)
 Patch:          0003-x509-Use-proper-version-for-CSR.patch
 # Ensure 'critical' basicConstraint for CA cert
 Patch:          0004-Ensure-critical-basicConstraint-for-CA-cert.patch
 BuildRequires:  gcc
 BuildRequires:  libtalloc-devel