Am 08.05.14 15:14, schrieb Viktor Dukhovni: >> Test case: >> >> 1) Certificate that has an Authority Key Identifier extension (save as >> file "testcert.pem"): > > [ but no subject key id, so the authority key id should not match itself ] > > If so, and if the patch below does not break other use-cases, it may fix > your issue.
I can confirm that with this patch applied my use case with X509_verify_cert() works as expected (misidentification of signing certificate as CRL issuer no longer occurs). I think that this patch only prevents misidentifications of issuer certificates via authority key identifier, so all legitimate use cases should be unaffected. Thanks for looking into this so quickly! > diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c > index 6c40c7d..7466938 100644 > --- a/crypto/x509v3/v3_purp.c > +++ b/crypto/x509v3/v3_purp.c > @@ -744,8 +744,8 @@ int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid) > return X509_V_OK; > > /* Check key ids (if present) */ > - if(akid->keyid && issuer->skid && > - ASN1_OCTET_STRING_cmp(akid->keyid, issuer->skid) ) > + if(akid->keyid && (!issuer->skid || > + ASN1_OCTET_STRING_cmp(akid->keyid, issuer->skid)) ) > return X509_V_ERR_AKID_SKID_MISMATCH; > /* Check serial number */ > if(akid->serial && > Stephan ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
