Hello, I am doing some interop testing with a toolkit that performs PKIX certificate verification and it is having a problem validating a chain I built with OpenSSL. What appears to be happening is that when 'ca' copies in the authority key information into the client certificate, it is pulling in the CA subject from my root CA instead of my intermediate CA (marked *wrong* below).
If you look at the following chain (leaf->intermediate->root CA), you will notice the subject key/authority keys are correct. The authority serial numbers are correct. But, the leaf certificate has the rootCA's subject DN. It should be the intermediate CA's subject DN. Certchain entry: 0 certsubject cn=mirage,ou=QA,o=myCompany,l=Denver,st=Colorado,c=US serial# = 59 i = cn=seclab server CA,ou=seclab,o=myCompany,l=Fairfax,st=MyState,c=US ** ski = 40:AE:D1:37:02:03:D6:BE:BB:D2:E3:31:CD:5A:D3:E4:43:FE:BF:BB ** aki = KeyIdentifier: 13:0E:DE:A8:99:B4:71:D6:E0:25:F4:09:65:B8:8F:37:85:99:CB:2E AuthorityCertIssuer: directoryName: cn=seclab root CA,ou=seclab,o=myCompany,l=Fairfax,st=MyState,c=US ***wrong*, the issuer is seclab server ca, not root!!*** AuthorityCertSerialNumber: 1 Certchain entry: 1 certsubject cn=seclab server CA,ou=seclab,o=myCompany,l=Fairfax,st=MyState,c=US serial# = 1 i = cn=seclab root CA,ou=seclab,o=myCompany,l=Fairfax,st=MyState,c=US ** ski = 13:0E:DE:A8:99:B4:71:D6:E0:25:F4:09:65:B8:8F:37:85:99:CB:2E ** aki = KeyIdentifier: 2E:0E:17:EE:8A:0A:0A:41:21:16:9E:31:F8:66:D6:4C:E3:93:AB:7A AuthorityCertIssuer: directoryName: cn=seclab root CA,ou=seclab,o=myCompany,l=Fairfax,st=MyState,c=US AuthorityCertSerialNumber: 99dd8a982ee608fe Certchain entry: 2 certsubject cn=seclab root CA,ou=seclab,o=myCompany,l=Fairfax,st=MyState,c=US serial# = 11087170243882518782 i = cn=seclab root CA,ou=seclab,o=myCompany,l=Fairfax,st=MyState,c=US ** ski = 2E:0E:17:EE:8A:0A:0A:41:21:16:9E:31:F8:66:D6:4C:E3:93:AB:7A ** aki = KeyIdentifier: 2E:0E:17:EE:8A:0A:0A:41:21:16:9E:31:F8:66:D6:4C:E3:93:AB:7A AuthorityCertIssuer: directoryName: cn=seclab root CA,ou=seclab,o=myCompany,l=Fairfax,st=MyState,c=US AuthorityCertSerialNumber: 99dd8a982ee608fe I believe the problem is in the v3_akey.c module. You are copying the subject name of the issuer's issuer, not the issuer itself. This has no impact with a single layer hierarchy but breaks when you have an intermediate CA. if((issuer && !ikeyid) || (issuer == 2)) { # this should be X509_get_subject_name isname = X509_NAME_dup(X509_get_issuer_name(cert)); serial = M_ASN1_INTEGER_dup(X509_get_serialNumber(cert)); -- Tim [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]