Fix app-defined privileges certificate verification

Since OpenSSL 3.0 a number of additional checks introduced to X509_verify_cert()
according to requirements in RFC 5280 in case X509_V_FLAG_X509_STRICT is set.
For example, the basicConstraints of CA certificates must be marked critical.

This checks cause verification failure for not well-formed certificates.
Having backward compatibility in mind, it's better to disable strict checking
than replacing all broken certificates in applications.

Change-Id: I8c6cb50be7c36ff7ef3d5c221dd4f066c2626be6

diff --git a/src/license-manager/agent/agent_logic.cpp b/src/license-manager/agent/agent_logic.cpp
index 2363d7b..b0bee70 100644 (file)
--- a/src/license-manager/agent/agent_logic.cpp
+++ b/src/license-manager/agent/agent_logic.cpp
@@ -182,7 +182,6 @@ int verify(const std::string &smack, int uid, const std::string &privilege) {
     } else if (0 == X509_STORE_CTX_init(storeCtx.get(), store.get(), clientCert.get(), nullptr)) { // check this nullptr
         ALOGD("X509_STORE_CTX_init failed");
     } else {
-        X509_VERIFY_PARAM_set_flags(X509_STORE_CTX_get0_param(storeCtx.get()), X509_V_FLAG_X509_STRICT);
         status = X509_verify_cert(storeCtx.get()); // 1 == ok; 0 == fail; -1 == error
     }