Michael Bell wrote: > > Hi, > > I found a bug in openssl ca. If you set authorityKeyIdentifier to > keyid and issuer always then the keyid will be set correctly but the > issuer is wrong. > > Example: > > Root-CA --> Sub-Level 1 CA --> Sub-Level 2 CA --> User > > If I issue a certificate for a user then the issuer of the CA-cert > is the DN of the Root-CA. >
What do you mean here? Are you saying that the authorityKeyIdentifier in Sub-Level 2 CA issuer name is the root CA? If so that's correct because its telling you the issuer and serial number of the CA that issued it. > I found a problem in two files: > <description deleted> The i2v functions convert the internal for (C structure) into a stack of name+value pairs and are used to produce a human readable version of the extension. That's actually not connected with the way the authority key identifier is automatically generated. The code to do that is in v2i_AUTHORITY_KEYID(). Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]