Bonjour,
The goal of this function is to determine if a given
authorityKeyIdentifier extension matches an issuer certificate
(issuer=authority).
The AKI extension can contain 3 elements:
- keyIdentifier
- authorityCertIssuer
- authorityCertSerialNumber
(X.509 mandates that the last 2 MUST be present together, this
constraint is not mentioned in RFC5280)
The first element is to be compared with the issuer's
subjectKeyIdentifier, is present.
The 2nd and 3rd element are to be compared with the issuer's issuerName
and issuer' serialNumber, respectively.
They are here to uniquely identify a certificate, and a certificate is
uniquely identified by its issuer's name and its own serial number.
Therefore the fix is incorrect. If you've got a certificate chain that
doesn't validate the AKI with the last 2 elements, it surely means your
certificates are improperly constructed.
--
Erwann ABALEA
-----
yachtitropicomythivorotrièdre: triangle des Bermudes
Le 13/09/2012 09:15, David Shambroom via RT a écrit :
Using:
Windows 7 Professional SP1
openssl-1.0.0g
Build:
perl Configure debug-VC-WIN64A no-asm --prefix=c:\openssl
ms\do_win64a
nmake -f ms\nt.mak
source file:
openssl-1.0.0g\crypto\x509v3\v3_purp.c
function:
int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid)
line 762:
if(nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer)))
^^^^^^
I believe this should be:
if(nm && X509_NAME_cmp(nm, X509_get_subject_name(issuer)))
^^^^^^^
I have tested and verified this fix.
Best regards,
--David Shambroom
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
