This is a bug report for OpenSSL version 0.9.8e. The top level summary is that misconfigured certificates with a bogus Issuer field are processed as if the field was valid.
The Issuer should have an attribute of commonName (OID 2.5.4.3) and a value
of some kind of string (e.g. T61String). If instead it has a bogus attribute,
such
as the obsolete OID 2.5.4.2, the command openssl x509 -in badcert.pem -inform
PEM -noout -text
should report that the certificate has no issuer. Instead it reports an issuer
containing the literal string "2.5.4.2" followed by the string value of this
OID.
This seems like a clear violation of RFC3280 to me. I've attached a bogus
certificate badcert.pem that exhibits this behavior. The output of the command
openssl asn1parse -in badcert.pem -inform PEM
contains the following:
38:d=5 hl=2 l= 3 prim: OBJECT :2.5.4.2
43:d=5 hl=2 l= 49 prim: T61STRING :Demo APNIC via RIPE Production
CA, [EMAIL PROTECTED]
The output of the command
openssl x509 -in badcert.pem -inform PEM -noout -text
contains the following:
Issuer: 2.5.4.2=Demo APNIC via RIPE Production CA, [EMAIL PROTECTED]
The output of "make report" on the system in question is:
OpenSSL self-test report:
OpenSSL version: 0.9.8e
Last change: Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sur...
Options: -march=pentium no-camellia no-gmp no-krb5 no-mdc2 no-rc5 no-shared
no-zlib no-zlib-dynamic
OS (uname): Linux newpki.bbn.com 2.6.9-5.EL #1 Wed Jan 5 19:22:18 EST 2005
i686 i686 i386 GNU/Linux
OS (config): i686-whatever-linux2
Target (default): linux-elf
Target: linux-elf
Compiler: Configured with: ../configure --prefix=/usr --mandir=/usr/share/man
--infodir=/usr/share/info --enable-shared --enable-threads=posix
--disable-checking --with-system-zlib --enable-__cxa_atexit
--disable-libunwind-exceptions --enable-java-awt=gtk --host=i386-redhat-linux
Thread model: posix
gcc version 3.4.3 20041212 (Red Hat 3.4.3-9.EL4)
Mark Reynolds
BBN Technologies
|
This is a bug report for OpenSSL version
0.9.8e. The top level summary is that
misconfigured certificates with a bogus Issuer
field are processed as if the field
was valid.
The Issuer should have an attribute of commonName
(OID 2.5.4.3) and a value
of some kind of string (e.g. T61String). If
instead it has a bogus attribute, such
as the obsolete OID 2.5.4.2, the command openssl
x509 -in badcert.pem -inform PEM -noout -text
should report that the certificate has no
issuer. Instead it reports an issuer
containing the literal string "2.5.4.2" followed by
the string value of this OID.
This seems like a clear violation of RFC3280 to
me. I've attached a bogus
certificate badcert.pem that exhibits this
behavior. The output of the command
openssl asn1parse -in badcert.pem -inform
PEM
contains the following:
38:d=5 hl=2 l= 3
prim: OBJECT
:2.5.4.2
43:d=5 hl=2 l= 49 prim: T61STRING :Demo APNIC via RIPE Production CA, [EMAIL PROTECTED] The output of the command
openssl x509 -in badcert.pem -inform PEM
-noout -text
contains the following:
Issuer:
2.5.4.2=Demo APNIC via RIPE Production CA, [EMAIL PROTECTED]
The output of "make report" on the system in
question is:
OpenSSL self-test report: OpenSSL version: 0.9.8e Last change: Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sur... Options: -march=pentium no-camellia no-gmp no-krb5 no-mdc2 no-rc5 no-shared no-zlib no-zlib-dynamic OS (uname): Linux newpki.bbn.com 2.6.9-5.EL #1 Wed Jan 5 19:22:18 EST 2005 i686 i686 i386 GNU/Linux OS (config): i686-whatever-linux2 Target (default): linux-elf Target: linux-elf Compiler: Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --enable-shared --enable-threads=posix --disable-checking --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-java-awt=gtk --host=i386-redhat-linux Thread model: posix gcc version 3.4.3 20041212 (Red Hat 3.4.3-9.EL4) Mark Reynolds
BBN Technologies
|
badcert.pem
Description: Binary data
