[openssl.org #1282] error setting AuthorityKeyIdentifier

Fri, 10 Feb 2006 14:39:02 -0800 

Hello,

I am doing some interop testing with a toolkit that performs PKIX
certificate verification and it is having a problem validating a chain I
built with OpenSSL.  What appears to be happening is that when 'ca' copies
in the authority key information into the client certificate, it is pulling
in the CA subject from my root CA instead of my intermediate CA (marked
*wrong* below).

If you look at the following chain (leaf->intermediate->root CA), you will
notice the subject key/authority keys are correct.  The authority serial
numbers are correct.  But, the leaf certificate has the rootCA's subject DN.
It should be the intermediate CA's subject DN.  

Certchain entry: 0
 certsubject cn=mirage,ou=QA,o=myCompany,l=Denver,st=Colorado,c=US
  serial# = 59
  i = cn=seclab server CA,ou=seclab,o=myCompany,l=Fairfax,st=MyState,c=US

 ** ski = 40:AE:D1:37:02:03:D6:BE:BB:D2:E3:31:CD:5A:D3:E4:43:FE:BF:BB
 ** aki = KeyIdentifier:
13:0E:DE:A8:99:B4:71:D6:E0:25:F4:09:65:B8:8F:37:85:99:CB:2E
AuthorityCertIssuer: directoryName: cn=seclab root
CA,ou=seclab,o=myCompany,l=Fairfax,st=MyState,c=US
***wrong*, the issuer is seclab server ca, not root!!***
AuthorityCertSerialNumber: 1


 Certchain entry: 1
 certsubject cn=seclab server
CA,ou=seclab,o=myCompany,l=Fairfax,st=MyState,c=US
  serial# = 1
  i = cn=seclab root CA,ou=seclab,o=myCompany,l=Fairfax,st=MyState,c=US

 ** ski = 13:0E:DE:A8:99:B4:71:D6:E0:25:F4:09:65:B8:8F:37:85:99:CB:2E
 ** aki = KeyIdentifier:
2E:0E:17:EE:8A:0A:0A:41:21:16:9E:31:F8:66:D6:4C:E3:93:AB:7A
AuthorityCertIssuer: directoryName: cn=seclab root
CA,ou=seclab,o=myCompany,l=Fairfax,st=MyState,c=US
AuthorityCertSerialNumber: 99dd8a982ee608fe


 Certchain entry: 2
 certsubject cn=seclab root
CA,ou=seclab,o=myCompany,l=Fairfax,st=MyState,c=US
  serial# = 11087170243882518782
  i = cn=seclab root CA,ou=seclab,o=myCompany,l=Fairfax,st=MyState,c=US

 ** ski = 2E:0E:17:EE:8A:0A:0A:41:21:16:9E:31:F8:66:D6:4C:E3:93:AB:7A
 ** aki = KeyIdentifier:
2E:0E:17:EE:8A:0A:0A:41:21:16:9E:31:F8:66:D6:4C:E3:93:AB:7A
AuthorityCertIssuer: directoryName: cn=seclab root
CA,ou=seclab,o=myCompany,l=Fairfax,st=MyState,c=US
AuthorityCertSerialNumber: 99dd8a982ee608fe 


I believe the problem is in the v3_akey.c module.  You are copying the
subject name of the issuer's issuer, not the issuer itself.  This has no
impact with a single layer hierarchy but breaks when you have an
intermediate CA.

if((issuer && !ikeyid) || (issuer == 2))
       {
  # this should be X509_get_subject_name
  isname = X509_NAME_dup(X509_get_issuer_name(cert));
  serial = M_ASN1_INTEGER_dup(X509_get_serialNumber(cert));


-- Tim
[EMAIL PROTECTED]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to