NLnetLabs / ldns

LDNS is a DNS library that facilitates DNS tool programming
https://nlnetlabs.nl/ldns
BSD 3-Clause "New" or "Revised" License
301 stars 99 forks source link

Use OpenSSL X509_V_FLAG_PARTIAL_CHAIN in verify context #64

Closed noloader closed 4 years ago

noloader commented 4 years ago

dane.c: use OpenSSL X509_V_FLAG_PARTIAL_CHAIN in verify context.

OpenSSL's X509_V_FLAG_PARTIAL_CHAIN allows one to use an intermediate CA (i.e., non-root) to root trust. It is incredibly useful to prune paths from a trust model. For example, with X509_V_FLAG_PARTIAL_CHAIN, one can use Let's Encrypt CA certificate alone to verify a server. Without the flag one must trust the IdentTrust Root CA, which brings in the entire PKI, including issuers for revocation, server certificates, client certificates, code signing certificates and time stamping.

Also clear several 'maybe uninitialized' warnings. The warnings seem to be related to the conditional code paths guarded by X509_V_FLAG_PARTIAL_CHAIN.

wtoorop commented 4 years ago

Thanks again! I'll study/review hopefully this afternoon, but soon in any case.

noloader commented 4 years ago

Thanks @wtoorop.

Take what you want from it.

If LDNS ever supports different back-ends, like GnuTLS or NSS, then you will definitely want X509_V_FLAG_PARTIAL_CHAIN. GnuTLS and NSS bake-in the logic of OpenSSL's X509_V_FLAG_PARTIAL_CHAIN. To keep consistent behavior with GnuTLS or NSS, LDNS will need X509_V_FLAG_PARTIAL_CHAIN.

And other software, like cURL and Wget, use X509_V_FLAG_PARTIAL_CHAIN when using OpenSSL as a back-end.

noloader commented 4 years ago

OK, deleting.

Here is the patch if you want to take pieces from it in the future: X509_V_FLAG_PARTIAL_CHAIN.diff.zip.

wtoorop commented 4 years ago

Did you not want to keep the branch around? I did not have opportunity to look/merge yet...