Bonjour, > Le 30 mai 2015 à 09:48, John Lofgren via RT <r...@openssl.org> a écrit : > > I believe I have pinpointed a typo-error that may be the cause of one or > two other outstanding bugs related to certificate chain validation. This > bug only occurs in a chain of certs at least 3 deep when the certs use > the X509v3 Authority Key Identifier extension. > > I am attaching a chain of 3 certs that verifies using the Windows > Certificate Manager, but fails to verify in versions 1.0.1, 1.0.1c and > 1.0.1m. > > Example failure command: > openssl verify -CAfile openssl-verify-chain-bug-CA.crt -untrusted > openssl-verify-chain-bug-IM-CA.crt openssl-verify-chain-bug-CS.crt
This chain is malformed. In -bug-CS.crt certificate, the AKI.issuername should be "C=US, O=OpenSSL, CN=openssl verify chain bug Root CA » instead of « C=US, O=OpenSSL, CN=openssl verify chain bug Intermediate CA ». Microsoft doesn’t choke on it because this extension is only a helper and MUST NOT be used to (in)validate a certificate chain. > If have also provided a one line patch to crypto/x509v3/v3_purp.c. I > believe the error is due to a simple typo. The function X509_check_akid() > is meant to compare the keyID, serial number, and issuer name between a > cert and its issuer cert. The keyID and serial number compares are working > correctly. However, when comparing the issuer name, instead of comparing > the cert's issuer name to the issuer cert's subject name, it is comparing > to the issuer cert's *issuer* name. i.e. instead of comparing to the > parent name, it is comparing to the grandparent name. AKI is a helper to identify the issuer certificate. A certificate can uniquely be specified by its issuer name and serial number. Therefore, the AKI MUST contain the issuer’s issuer name and the issuer’s serial number. _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev