From d376c969443960208ea6feb77e8f94eea9a120e6 Mon Sep 17 00:00:00 2001
From: tb <tb@openbsd.org>
Date: Sun, 16 Apr 2023 08:06:42 +0000
Subject: [PATCH] More ProxyCertInfo tentacles go to the attic

This removes ProxyCertInfo from extension caching, issuer checking
and it also drops the special path validation for proxy certs from
the legacy verifier.

ok jsing
---
 lib/libcrypto/x509/x509_purp.c | 33 ++---------------------------
 lib/libcrypto/x509/x509_vfy.c  | 38 ++++------------------------------
 2 files changed, 6 insertions(+), 65 deletions(-)

diff --git a/lib/libcrypto/x509/x509_purp.c b/lib/libcrypto/x509/x509_purp.c
index 176d9d679fe..621f6f0f901 100644
--- a/lib/libcrypto/x509/x509_purp.c
+++ b/lib/libcrypto/x509/x509_purp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_purp.c,v 1.21 2023/02/16 10:18:59 tb Exp $ */
+/* $OpenBSD: x509_purp.c,v 1.22 2023/04/16 08:06:42 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2001.
  */
@@ -380,7 +380,6 @@ X509_supported_extension(X509_EXTENSION *ex)
 		NID_sbgp_autonomousSysNum, /* 291 */
 #endif
 		NID_policy_constraints,	/* 401 */
-		NID_proxyCertInfo,	/* 663 */
 		NID_name_constraints,	/* 666 */
 		NID_policy_mappings,	/* 747 */
 		NID_inhibit_any_policy	/* 748 */
@@ -446,7 +445,6 @@ static void
 x509v3_cache_extensions_internal(X509 *x)
 {
 	BASIC_CONSTRAINTS *bs;
-	PROXY_CERT_INFO_EXTENSION *pci;
 	ASN1_BIT_STRING *usage;
 	ASN1_BIT_STRING *ns;
 	EXTENDED_KEY_USAGE *extusage;
@@ -481,30 +479,6 @@ x509v3_cache_extensions_internal(X509 *x)
 		x->ex_flags |= EXFLAG_INVALID;
 	}
 
-	/* Handle proxy certificates */
-	if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, &i, NULL))) {
-		if (x->ex_flags & EXFLAG_CA ||
-		    X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0 ||
-		    X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) {
-			x->ex_flags |= EXFLAG_INVALID;
-		}
-		if (pci->pcPathLengthConstraint) {
-			if (pci->pcPathLengthConstraint->type ==
-			    V_ASN1_NEG_INTEGER) {
-				x->ex_flags |= EXFLAG_INVALID;
-				x->ex_pcpathlen = 0;
-			} else
-				x->ex_pcpathlen =
-				    ASN1_INTEGER_get(pci->
-				      pcPathLengthConstraint);
-		} else
-			x->ex_pcpathlen = -1;
-		PROXY_CERT_INFO_EXTENSION_free(pci);
-		x->ex_flags |= EXFLAG_PROXY;
-	} else if (i != -1) {
-		x->ex_flags |= EXFLAG_INVALID;
-	}
-
 	/* Handle key usage */
 	if ((usage = X509_get_ext_d2i(x, NID_key_usage, &i, NULL))) {
 		if (usage->length > 0) {
@@ -908,10 +882,7 @@ X509_check_issued(X509 *issuer, X509 *subject)
 			return ret;
 	}
 
-	if (subject->ex_flags & EXFLAG_PROXY) {
-		if (ku_reject(issuer, KU_DIGITAL_SIGNATURE))
-			return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE;
-	} else if (ku_reject(issuer, KU_KEY_CERT_SIGN))
+	if (ku_reject(issuer, KU_KEY_CERT_SIGN))
 		return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
 	return X509_V_OK;
 }
diff --git a/lib/libcrypto/x509/x509_vfy.c b/lib/libcrypto/x509/x509_vfy.c
index 8bba7961981..8fd193699eb 100644
--- a/lib/libcrypto/x509/x509_vfy.c
+++ b/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.111 2023/02/16 08:38:17 tb Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.112 2023/04/16 08:06:42 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -732,7 +732,6 @@ x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx)
 	int (*cb)(int xok, X509_STORE_CTX *xctx);
 	int proxy_path_length = 0;
 	int purpose;
-	int allow_proxy_certs;
 
 	cb = ctx->verify_cb;
 
@@ -747,14 +746,10 @@ x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx)
 	must_be_ca = -1;
 
 	/* CRL path validation */
-	if (ctx->parent) {
-		allow_proxy_certs = 0;
+	if (ctx->parent)
 		purpose = X509_PURPOSE_CRL_SIGN;
-	} else {
-		allow_proxy_certs =
-		    !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
+	else
 		purpose = ctx->param->purpose;
-	}
 
 	/* Check all untrusted certificates */
 	for (i = 0; i < ctx->num_untrusted; i++) {
@@ -769,14 +764,6 @@ x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx)
 			if (!ok)
 				goto end;
 		}
-		if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) {
-			ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED;
-			ctx->error_depth = i;
-			ctx->current_cert = x;
-			ok = cb(0, ctx);
-			if (!ok)
-				goto end;
-		}
 		ret = X509_check_ca(x);
 		switch (must_be_ca) {
 		case -1:
@@ -838,24 +825,7 @@ x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx)
 		/* Increment path length if not self issued */
 		if (!(x->ex_flags & EXFLAG_SI))
 			plen++;
-		/* If this certificate is a proxy certificate, the next
-		   certificate must be another proxy certificate or a EE
-		   certificate.  If not, the next certificate must be a
-		   CA certificate.  */
-		if (x->ex_flags & EXFLAG_PROXY) {
-			if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) {
-				ctx->error =
-				    X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
-				ctx->error_depth = i;
-				ctx->current_cert = x;
-				ok = cb(0, ctx);
-				if (!ok)
-					goto end;
-			}
-			proxy_path_length++;
-			must_be_ca = 0;
-		} else
-			must_be_ca = 1;
+		must_be_ca = 1;
 	}
 	ok = 1;
 
-- 
2.20.1