This is a bug report for OpenSSL version 0.9.8e. The top level summary is that misconfigured certificates with a bogus Issuer field are processed as if the field was valid.
The Issuer should have an attribute of commonName (OID 2.5.4.3) and a value of some kind of string (e.g. T61String). If instead it has a bogus attribute, such as the obsolete OID 2.5.4.2, the command openssl x509 -in badcert.pem -inform PEM -noout -text should report that the certificate has no issuer. Instead it reports an issuer containing the literal string "2.5.4.2" followed by the string value of this OID. This seems like a clear violation of RFC3280 to me. I've attached a bogus certificate badcert.pem that exhibits this behavior. The output of the command openssl asn1parse -in badcert.pem -inform PEM contains the following: 38:d=5 hl=2 l= 3 prim: OBJECT :2.5.4.2 43:d=5 hl=2 l= 49 prim: T61STRING :Demo APNIC via RIPE Production CA, [EMAIL PROTECTED] The output of the command openssl x509 -in badcert.pem -inform PEM -noout -text contains the following: Issuer: 2.5.4.2=Demo APNIC via RIPE Production CA, [EMAIL PROTECTED] The output of "make report" on the system in question is: OpenSSL self-test report: OpenSSL version: 0.9.8e Last change: Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sur... Options: -march=pentium no-camellia no-gmp no-krb5 no-mdc2 no-rc5 no-shared no-zlib no-zlib-dynamic OS (uname): Linux newpki.bbn.com 2.6.9-5.EL #1 Wed Jan 5 19:22:18 EST 2005 i686 i686 i386 GNU/Linux OS (config): i686-whatever-linux2 Target (default): linux-elf Target: linux-elf Compiler: Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --enable-shared --enable-threads=posix --disable-checking --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-java-awt=gtk --host=i386-redhat-linux Thread model: posix gcc version 3.4.3 20041212 (Red Hat 3.4.3-9.EL4) Mark Reynolds BBN Technologies
This is a bug report for OpenSSL version
0.9.8e. The top level summary is that
misconfigured certificates with a bogus Issuer
field are processed as if the field
was valid.
The Issuer should have an attribute of commonName
(OID 2.5.4.3) and a value
of some kind of string (e.g. T61String). If
instead it has a bogus attribute, such
as the obsolete OID 2.5.4.2, the command openssl
x509 -in badcert.pem -inform PEM -noout -text
should report that the certificate has no
issuer. Instead it reports an issuer
containing the literal string "2.5.4.2" followed by
the string value of this OID.
This seems like a clear violation of RFC3280 to
me. I've attached a bogus
certificate badcert.pem that exhibits this
behavior. The output of the command
openssl asn1parse -in badcert.pem -inform
PEM
contains the following:
38:d=5 hl=2 l= 3
prim: OBJECT
:2.5.4.2
43:d=5 hl=2 l= 49 prim: T61STRING :Demo APNIC via RIPE Production CA, [EMAIL PROTECTED] The output of the command
openssl x509 -in badcert.pem -inform PEM
-noout -text
contains the following:
Issuer:
2.5.4.2=Demo APNIC via RIPE Production CA, [EMAIL PROTECTED]
The output of "make report" on the system in
question is:
OpenSSL self-test report: OpenSSL version: 0.9.8e Last change: Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sur... Options: -march=pentium no-camellia no-gmp no-krb5 no-mdc2 no-rc5 no-shared no-zlib no-zlib-dynamic OS (uname): Linux newpki.bbn.com 2.6.9-5.EL #1 Wed Jan 5 19:22:18 EST 2005 i686 i686 i386 GNU/Linux OS (config): i686-whatever-linux2 Target (default): linux-elf Target: linux-elf Compiler: Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --enable-shared --enable-threads=posix --disable-checking --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-java-awt=gtk --host=i386-redhat-linux Thread model: posix gcc version 3.4.3 20041212 (Red Hat 3.4.3-9.EL4) Mark Reynolds
BBN Technologies
|
badcert.pem
Description: Binary data