Environment
Novell eDirectory 8.8 for All Platforms
Novell eDirectory 8.7.3.8 for All Platforms
Novell Certificate Server (PKIS) 3.20
Novell ConsoleOne 1.36f on Windows XP SP2
Situation
ConsoleOne reports a "Path Length Violation" while running the
validation process
The trust chain for the certificate being validated has three root certificate in the trust chain
SelfSigned CA with a pathLenConstraint = "5"
Sub CA1 with a pathLenConstraint = "2"
Sub CA2 with no pathLenConstraint set
The trust chain for the certificate being validated has three root certificate in the trust chain
SelfSigned CA with a pathLenConstraint = "5"
Sub CA1 with a pathLenConstraint = "2"
Sub CA2 with no pathLenConstraint set
Resolution
This issue has been addressed to engineering
Status
Reported to EngineeringAdditional Information
The Novell Certificate server validation process used the following
rules for the pathLenContraint attribute given the above mentioned
trust chain:
After a discussion on the PKIX list we changed the validation process.
In RFC 3280 there is no MUST-statement that says that a CA creating a certificate for a sub-CA must ensure that the path length is set.
The validation steps specifically say:
(l) If the certificate was not self-issued, verify that max_path_length
is greater than zero and decrement max_path_length by 1.
(m) If pathLengthConstraint is present in the certificate and is less than max_path_length,
set max_path_length to the value of pathLengthConstraint.
Where max_path_length was set originally to the path_length specified in the root CA certificate. In this case, the max_path_length would start at 5, then decreased to 2. When validating the certificate for subCA 2, since max_path_length is 2, the certificate should pass the check. Further, when validating a certificate signed by subCA 2 (that is not a CA), the leaf certificate would be considered valid as well.
- If no pathLenContraint attribute has not been set on a given CA certificate this means an unlimited path length.
- As soon as SubCA 2 can not have a greater pathLenContraint value than what has been set on SubCA 1
After a discussion on the PKIX list we changed the validation process.
In RFC 3280 there is no MUST-statement that says that a CA creating a certificate for a sub-CA must ensure that the path length is set.
The validation steps specifically say:
(l) If the certificate was not self-issued, verify that max_path_length
is greater than zero and decrement max_path_length by 1.
(m) If pathLengthConstraint is present in the certificate and is less than max_path_length,
set max_path_length to the value of pathLengthConstraint.
Where max_path_length was set originally to the path_length specified in the root CA certificate. In this case, the max_path_length would start at 5, then decreased to 2. When validating the certificate for subCA 2, since max_path_length is 2, the certificate should pass the check. Further, when validating a certificate signed by subCA 2 (that is not a CA), the leaf certificate would be considered valid as well.