Adding support to verify TPM certificates with AKID serial mismatches

Mon, 18 Mar 2013 18:06:57 -0700 

Hello openssl-dev. I've run into an issue using OpenSSL to verify a
certificate chain from an Infineon TPM endorsement key. This is not an
OpenSSL bug, but rather an issue handling certificates deployed in the
wild.

I believe Infineon may have published intermediate certificates with
an invalid serial number in the X509v3 Authority Identifier. These are
being properly rejected in X509_check_akid(). Unfortunately, I'm stuck
using these certificates and would like to continue using OpenSSL to
verify them. I've written a small change (see below) to handle this,
but is there any recommended workaround?

Infineon's EK intermediate certificates (e.g. IFX08.pem), their root
certificate (IFX-root.pem), and their issuer Verisign's certificate
(VRSN-root.pem) are posted on this page:
http://www.infineon.com/cms/en/product/chip-card-and-security-ics/embedded-security/trusted-computing/trusted-platform-module-tpm1.2-pc/channel.html?channel=ff80808112ab681d0112ab6921ae011f#db3a304412b407950112b4165f462052

I've attached these as files in this message as well. You can see that
the AKID in IFX08 is:
"""
X509v3 Authority Key Identifier:
  keyid:56:EB:91:44:85:63:D6:72:B3:AE:D4:45:96:0B:F7:94:0E:54:42:A6
  DirName:/C=DE/ST=Bavaria/O=Infineon Technologies AG/OU=AIM/CN=IFX
TPM EK Root CA
  serial:03
"""

The authority keyid matches the IFX-root key's SKID. However, the "03"
serial number doesn't appear to be correct and is rejected by
X509_check_akid. This same problem has apparently come up for people
with other certificates, e.g.:
http://www.mail-archive.com/openssl-users@openssl.org/msg62131.html

As a workaround, I added a flag to make check_issuer more lenient and
ignore issuer serial mismatches. See the attached patch. The usage is
as follows:
"""
$ openssl verify -CApath /path/to/my/certs IFX08.pem
IFX08.pem: C = DE, ST = Saxony, O = Infineon Technologies AG, OU =
AIM, CN = IFX TPM EK Intermediate CA 08
error 20 at 0 depth lookup:unable to get local issuer certificate

$ openssl verify -ignore_akid_issuer_serial_mismatch -CApath
/path/to/my/certs IFX08.pem
IFX08.pem: OK
"""

Thanks for any help or suggestions.

Attachment: IFX08.pem
Description: Binary data

Attachment: IFX-root.pem
Description: Binary data

Attachment: VRSN-root.pem
Description: Binary data

Attachment: lenient-x509-check.patch
Description: Binary data

Reply via email to