I posted this test case for function X509_check_akid() on the
openssl-users mailing list, but got no reaction, therefore I'm
submitting it now as a defect for triaging.
Test case:
1) Certificate that has an Authority Key Identifier extension (save as
file "testcert.pem"):
-----BEGIN CERTIFICATE-----
MIIBvzCCASigAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0
IENBMB4XDTE0MDUwMjA5MDI1OFoXDTE0MDYwMTA5MDI1OFowFDESMBAGA1UEAwwJ
VGVzdCBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCwnv66JvZTVaf
Z3tqMo5od80yv9J0rxUMlAPXFiRM3P/JgDjW5NVIt2Ryaqwd7qZFN1f0HpcQAM5m
SJsQpi8ZxbfGB9BIt7SgRuKdj5ntDX1WJ84gl4C8R2t75B8d0WrJBJUYL2XCOEnu
S0RpfxvLZryH8Pr48Wp8NM6gONAjgQIDAQABoyMwITAfBgNVHSMEGDAWgBQLHOwh
WWaA9y49g7bt77DLa5/RKjANBgkqhkiG9w0BAQsFAAOBgQB7Md75mT3aHcR1vyf7
q8t5+x2JzbXxY3bSF1eRreaC65luDGwHrwd8e6vsYQGfOL35Q9lz+6eJRQWFsLkV
LoILyOEJlfJIN2hX7ZOphTsQ4xhgUanBtQBh7a3if4ywF6YMS8XgBwCxXcmrndGm
OZLjSWhsx6spsyLl56iduRWtzQ==
-----END CERTIFICATE-----
2) Test program that loads the certificate and invokes X509_check_akid()
for the certificate with its own Authority Key Identifier (all error
checks omitted for brevity):
------------ snip ---------------
/*
* Test program for X509_check_akid()
*
* The program loads a certificate that has the
* "X509v3 Authority Key Identifier" and invokes X509_check_akid()
* with this authority key identifier and the certificate itself.
*/
#include <stdio.h>
#include <openssl/err.h>
#include <openssl/bio.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/pem.h>
int
main()
{
BIO *pem;
const char *file = "testcert.pem";
X509 *cert;
int akid_check;
pem = BIO_new(BIO_s_file());
BIO_read_filename(pem, file);
cert = PEM_read_bio_X509_AUX(pem, NULL, NULL, NULL);
X509_check_purpose(cert, -1, -1);
akid_check = X509_check_akid(cert, cert->akid);
printf("X509_check_akid result %d '%s'\n", akid_check,
X509_verify_cert_error_string(akid_check));
return 0;
}
------------------- snip ---------------
Actual result:
When compiled and executed with a current OpenSSL build from the
OpenSSL_1_0_2-stable branch the program prints:
X509_check_akid result 0 'ok'
Expected result:
X509_check_akid() should return an error code because the certificate
actually cannot be identified as its own issuer via the X509v3 Authority
Key Identifier extension.
Background:
The test case scenario actually occurs in an application that uses
X509_verify_cert() where certain checks are disabled through a callback
function applied with X509_STORE_set_verify_cb(). A certificate is
incorrectly identified as the CRL issuer certificate through this behavior.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
