Hi,
The "authorityKeyIdentifier" extension seems to behave weirdly...
I have a two level CA architecture:
ROOT CA
INTERMEDIATE CA
For both CA:
authorityKeyIdentifier = keyid,issuer:always
ROOT CA's authorityKeyIdentifier extension gives its own DN as issuer (normal)
INTERMEDIATE CA's authorityKeyIdentifier extension gives ROOT CA's DN as issuer
(normal)
A certificate signed by INTERMEDIATE CA, gives ROOT CA's DN as issuer (not normal),
shouldn't it be INTERMEDIATE CA's DN ? since the issuer of this certificate is
INTERMEDIATE CA and not ROOT CA.
So I looked at the source code, and I found:
crypto/x509v3/v3_akey.c:144
cert = ctx->issuer_cert;
...
if((issuer && !ikeyid) || (issuer == 2)) {
isname = X509_NAME_dup(X509_get_issuer_name(cert));
So "cert" contains the issuer certificate, and we copy the "cert"'s issuer DN, and not
his DN ????
isname = X509_NAME_dup(X509_get_subject_name(cert)); would be more proper no ?
Thanks.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
