[mykhal]

from test/verify_extra_test.c:

    Test for CVE-2015-1793 (Alternate Chains Certificate Forgery)
   
    Chain is as follows:
   
    rootCA (self-signed)
      |
    interCA
      |
    subinterCA       subinterCA (self-signed)
      |                   |
    leaf ------------------
      |
    bad
   
    rootCA, interCA, subinterCA, subinterCA (ss) all have CA=TRUE
    leaf and bad have CA=FALSE
   
    subinterCA and subinterCA (ss) have the same subject name and keys
   
    interCA (but not rootCA) and subinterCA (ss) are in the trusted store
    (roots.pem)
    leaf and subinterCA are in the untrusted list (untrusted.pem)
    bad is the certificate being verified (bad.pem)
   
    Versions vulnerable to CVE-2015-1793 will fail to detect that leaf has
    CA=FALSE, and will therefore incorrectly verify bad

[mvanotti]

So, bad certificate HAS to be signed by leaf certificate, and leaf certificate HAS to be trusted. (And you need two CAs with the same keys)

openssl would accept certs that have been issued by a non-ca cert (which is trusted).

So if you have control over the leaf cert, you can just use it for contacting openssl.

If you don't have control over the leaf cert, you can't issue a bad cert.

Am I missing something?

[caf]

The leaf cert is signed for evil-bastard.net, but the "bad" cert can be for mail.google.com.