Hello openssl-dev. I've run into an issue using OpenSSL to verify a certificate chain from an Infineon TPM endorsement key. This is not an OpenSSL bug, but rather an issue handling certificates deployed in the wild.
I believe Infineon may have published intermediate certificates with an invalid serial number in the X509v3 Authority Identifier. These are being properly rejected in X509_check_akid(). Unfortunately, I'm stuck using these certificates and would like to continue using OpenSSL to verify them. I've written a small change (see below) to handle this, but is there any recommended workaround? Infineon's EK intermediate certificates (e.g. IFX08.pem), their root certificate (IFX-root.pem), and their issuer Verisign's certificate (VRSN-root.pem) are posted on this page: http://www.infineon.com/cms/en/product/chip-card-and-security-ics/embedded-security/trusted-computing/trusted-platform-module-tpm1.2-pc/channel.html?channel=ff80808112ab681d0112ab6921ae011f#db3a304412b407950112b4165f462052 I've attached these as files in this message as well. You can see that the AKID in IFX08 is: """ X509v3 Authority Key Identifier: keyid:56:EB:91:44:85:63:D6:72:B3:AE:D4:45:96:0B:F7:94:0E:54:42:A6 DirName:/C=DE/ST=Bavaria/O=Infineon Technologies AG/OU=AIM/CN=IFX TPM EK Root CA serial:03 """ The authority keyid matches the IFX-root key's SKID. However, the "03" serial number doesn't appear to be correct and is rejected by X509_check_akid. This same problem has apparently come up for people with other certificates, e.g.: http://www.mail-archive.com/openssl-users@openssl.org/msg62131.html As a workaround, I added a flag to make check_issuer more lenient and ignore issuer serial mismatches. See the attached patch. The usage is as follows: """ $ openssl verify -CApath /path/to/my/certs IFX08.pem IFX08.pem: C = DE, ST = Saxony, O = Infineon Technologies AG, OU = AIM, CN = IFX TPM EK Intermediate CA 08 error 20 at 0 depth lookup:unable to get local issuer certificate $ openssl verify -ignore_akid_issuer_serial_mismatch -CApath /path/to/my/certs IFX08.pem IFX08.pem: OK """ Thanks for any help or suggestions.
IFX08.pem
Description: Binary data
IFX-root.pem
Description: Binary data
VRSN-root.pem
Description: Binary data
lenient-x509-check.patch
Description: Binary data