Newsgrouper

On Tue, 17 Mar 2026 02:22:23 -0000 (UTC), Jerry O. wrote:

> Hello everyone, > > I have a question for those who have written code using pki: have any of you > had pki::x509::verify_cert suddenly begin failing certs, even when the trust > has indeed been established, the certs are current, and-- most importantly-- > an independent check using "openssl verify -CAfile..." (or some other similar > utility) shows that the cert _is_ valid?

Hello again, I've been studying the pki.tcl module source code and I believe I may have found the reason for why verify_cert is not passing an otherwise trusted cert chain: a missing case in a switch statement in the proc ::pki::x509::validate_cert. I believe this to be so based on the following reasoning (see the code excerpts below): 1) ::pki::x509::verify_cert invokes ::pki::x509::validate_cert on the supplicant cert first, and then on the trusted cert(s). 2) The supplicant cert passes ::pki::x509::validate_cert. 3) The trusted cert fails ::pki::x509::validate_cert. 4) Therefore, ::pki::x509::verify_cert fails. 5) The CA cert (the trusted cert) generated by ::pki::x509::create_cert includes the extension "id-ce-basicConstraints". The ::pki::x509::validate_cert code doesn't recognize this extension-- it only recognizes "basicConstraints"-- and so returns false as the default response. 6) It looks like "id-ce-basicConstraints" and "basicConstraints" are otherwise treated equivalently elsewhere in pki.tcl. See the code for ::pki::x509::create_cert, and the code (and comments) for ::pki::x509::_parse_extensions as comparison. 7) It appears to me that the switch statement in ::pki::x509::validate_cert is simply missing the "id-ce-basicConstraints" case that would fix the issue. I humbly ask that those readers who are, or who are in contact with, code maintainers please review what I have submitted here, and if it is confirmed, that a correction to pki.tcl be proposed. With Gratitude, -Jerry O. Please first reverse the letters in my address domain when replying direct. modules/pki/pki.tcl as retrieved on March 19th, 2026: In the proc ::pki::x509::validate_cert (starting at line 2222): 2294 # Check for extensions and process them. However v1 certs have no extensions 2295 if {$cert_arr(version) == 0} { 2296 # Do not permit V1 certificates for signing. 2297 set CA 0 2298 } else { 2299 ## Critical extensions must be understood, non-critical extensions may be ignored if not understood 2300 set CA 0 2301 set CAdepth -1 2302 foreach {ext_id ext_val} $cert_arr(extensions) { 2303 set critical [lindex $ext_val 0] 2304 2305 switch -- $ext_id { 2306 ------> basicConstraints { 2307 set CA [lindex $ext_val 1 0] 2308 set CAdepth [lindex $ext_val 1 1] 2309 } 2310 default { 2311 ### If this extensions is critical and not understood, we must reject it 2312 if {$critical} { 2313 return false 2314 } 2315 } 2316 } 2317 } 2318 } Shouldn't "id-ce-basicConstraints" be included, as follows: switch -- $ext_id { ---ADD?---> id-ce-basicConstraints - basicConstraints { set CA [lindex $ext_val 1 0] set CAdepth [lindex $ext_val 1 1] } ...etc... Compare to the code of proc ::pki::x509::create_cert (starting at line 2584): 2686 ## Insert extensions 2687 if {[array get extensions] ne {}} { 2688 set extensionslist [list] 2689 2690 foreach {extension extvalue} [array get extensions] { 2691 set critical 0 2692 2693 switch -- $extension { 2694 ------> id-ce-basicConstraints - 2695 basicConstraints { 2696 set critical [lindex $extvalue 0] 2697 set allowCA [lindex $extvalue 1] 2698 set caDepth [lindex $extvalue 2] 2699 2700 if {$caDepth < 0} { 2701 set extvalue [::asn::asnSequence [::asn::asnBoolean $allowCA]] 2702 } else { 2703 set extvalue [::asn::asnSequence [ 2704 ::asn::asnBoolean $allowCA 2705 ] [ 2706 ::asn::asnInteger $caDepth 2707 ]] 2708 } 2709 } Look at proc ::pki::x509::_parse_extensions (starting at line 2010), lines 2089 thru 2098, where accommodation was made for both forms "basicConstraints" and "id-ce-basicConstraints" -- Please first reverse the letters in my address domain when replying direct.

Article with message-id: <[email protected]>