On Thu, May 08, 2014 at 09:48:43AM +0200, Stephan M?hlstrasser via RT wrote:
> I posted this test case for function X509_check_akid() on the
> openssl-users mailing list, but got no reaction, therefore I'm
> submitting it now as a defect for triaging.
> Test case:
>
> 1) Certificate that has an Authority Key Identifier extension (save as
> file "testcert.pem"):
[ but no subject key id, so the authority key id should not match itself ]
If so, and if the patch below does not break other use-cases, it may fix
your issue.
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index 6c40c7d..7466938 100644
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -744,8 +744,8 @@ int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid)
return X509_V_OK;
/* Check key ids (if present) */
- if(akid->keyid && issuer->skid &&
- ASN1_OCTET_STRING_cmp(akid->keyid, issuer->skid) )
+ if(akid->keyid && (!issuer->skid ||
+ ASN1_OCTET_STRING_cmp(akid->keyid, issuer->skid)) )
return X509_V_ERR_AKID_SKID_MISMATCH;
/* Check serial number */
if(akid->serial &&
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
