>> I used openssl with the intermediate CA to sign a separate cert, which >> had a AKID keyid but no issuer, and that chain recongizes fine. >> >> Could the problem be the fact that yahoo.pem has an AKID keyid AND >> issuer? (onr or the other is sufficient, but I could find nothing that >> said that both were illegal). > > it might be a bug in openssl X509_check_issued() function. > > im using openssl 0.9.8i. > > line 650 in v3_purp.c: > > if(nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer))) > return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH; > > nm is the DirName thing in the subject cert's AKID, ie > "/O=WatchGuard_Technologies/OU=Fireware/CN=Resigning_CA" > and "issuer" is the intermediate CA cert, so its > "X509_get_issuer_name(issuer)" will be name of root CA. > so the comparsion will fail, and you get the error. > > looks like it should be "X509_get_subject_name(issuer)"
$ ./openssl version OpenSSL 0.9.8i 15 Sep 2008 $ $ ./openssl verify -CApath cas cas/int.pem cas/int.pem: OK $ $ ./openssl verify -CApath cas yahoo.pem yahoo.pem: /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=login.yahoo.com error 20 at 0 depth lookup:unable to get local issuer certificate $ $ $ gdb --args ./openssl verify -CApath cas yahoo.pem GNU gdb 6.8-debian Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i486-linux-gnu"... (gdb) (gdb) b v3_purp.c:630 Breakpoint 1 at 0x812d0e7: file v3_purp.c, line 630. (gdb) b v3_purp.c:651 Breakpoint 2 at 0x812d186: file v3_purp.c, line 651. (gdb) r Starting program: ./openssl verify -CApath cas yahoo.pem Breakpoint 2, X509_check_issued (issuer=0x8204e68, subject=0x8204760) at v3_purp.c:651 651 return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH; (gdb) p nm $1 = (X509_NAME *) 0x820bf18 (gdb) p X509_NAME_oneline(nm,0,0) $2 = 0x820c0f8 "/O=WatchGuard_Technologies/OU=Fireware/CN=Resigning_CA" (gdb) p issuer $3 = (X509 *) 0x8204e68 (gdb) set nm=X509_get_issuer_name(issuer) (gdb) p nm $4 = (X509_NAME *) 0x8206310 (gdb) p X509_NAME_oneline(nm,0,0) $5 = 0x820c208 "/C=US/ST=Washington/O=Foobar/OU=foobar/CN=Foo B. Ar/emailaddress=...@bar.com" (gdb) set nm=X509_get_subject_name(issuer) (gdb) p nm $6 = (X509_NAME *) 0x82083b0 (gdb) p X509_NAME_oneline(nm,0,0) $7 = 0x820c318 "/O=WatchGuard_Technologies/OU=Fireware/CN=Resigning_CA" (gdb) _________________________________________________________________ Windows Liveā¢: Life without walls. http://windowslive.com/explore?ocid=TXT_TAGLM_WL_allup_1a_explore_032009______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org