Am 08.05.14 15:14, schrieb Viktor Dukhovni:
Test case:
1) Certificate that has an Authority Key Identifier extension (save as
file "testcert.pem"):
[ but no subject key id, so the authority key id should not match itself ]
If so, and if the patch below does not break other use-cases, it may fix
your issue.
I can confirm that with this patch applied my use case with
X509_verify_cert() works as expected (misidentification of signing
certificate as CRL issuer no longer occurs).
I think that this patch only prevents misidentifications of issuer
certificates via authority key identifier, so all legitimate use cases
should be unaffected.
Thanks for looking into this so quickly!
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index 6c40c7d..7466938 100644
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -744,8 +744,8 @@ int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid)
return X509_V_OK;
/* Check key ids (if present) */
- if(akid->keyid && issuer->skid &&
- ASN1_OCTET_STRING_cmp(akid->keyid, issuer->skid) )
+ if(akid->keyid && (!issuer->skid ||
+ ASN1_OCTET_STRING_cmp(akid->keyid, issuer->skid)) )
return X509_V_ERR_AKID_SKID_MISMATCH;
/* Check serial number */
if(akid->serial &&
Stephan
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
