openssl ca sets wrong authorityKeyIdentifier

Tue, 19 Mar 2002 07:15:19 -0800 

Hi,

I found a bug in openssl ca. If you set authorityKeyIdentifier to
keyid and issuer always then the keyid will be set correctly but the
issuer is wrong.

Example:

Root-CA --> Sub-Level 1 CA --> Sub-Level 2 CA --> User

If I issue a certificate for a user then the issuer of the CA-cert
is the DN of the Root-CA.

I found a problem in two files:

crypto/x509v3/v3_akey.c
crypto/x509v3/v3_alt.c

v3_akey.c uses the following code to set the issuer:

if(akeyid->issuer)
        extlist = i2v_GENERAL_NAMES(NULL, akeyid->issuer, extlist);

I look into v3_alt.c and find the following:

STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
                GENERAL_NAMES *gens, STACK_OF(CONF_VALUE) *ret)
{
        int i;
        GENERAL_NAME *gen;
        for(i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
                gen = sk_GENERAL_NAME_value(gens, i);
                ret = i2v_GENERAL_NAME(method, gen, ret);
        }
        if(!ret) return sk_CONF_VALUE_new_null();
        return ret;
}

The function go to the bottom of the stack which is the Root-CA which
is not the issuer of the Sublevel 2 CA-Cert. In my opinion the extension
must use the top of the stack. There are two options now:

1. change v3_akey.c

gen = sk_GENERAL_NAME_value(akeyid->issuer, 0);
extlist = i2v_GENERAL_NAME(NULL, gen, extlist);

2. change v3_alt.c

fix the function i2v_GENERAL_NAMES directly

STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
                GENERAL_NAMES *gens, STACK_OF(CONF_VALUE) *ret)
{
        int i;
        GENERAL_NAME *gen;

        gen = sk_GENERAL_NAME_value(gens, 0);
        ret = i2v_GENERAL_NAME(method, gen, ret);

        if(!ret) return sk_CONF_VALUE_new_null();
        return ret;
}

The problem is perhaps the usage of i2v_GENERAL_NAMES. I found only one
other function
which uses this function:

i2v_crld in crypto/x509v3/v3_crld.c

I think that this function has no problem with the fix (means perhaps
there is a similar bug too).

Any comments (perhaps my interpretation of the extension is wrong)?

Michael
-- 
-------------------------------------------------------------------
Michael Bell                   Email (private): [EMAIL PROTECTED]
Rechenzentrum - Datacenter     Email:  [EMAIL PROTECTED]
Humboldt-University of Berlin  Tel.: +49 (0)30-2093 2482
Unter den Linden 6             Fax:  +49 (0)30-2093 2959
10099 Berlin
Germany                                       http://www.openca.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to