Am 30.04.14 16:13, schrieb Viktor Dukhovni:
The function is part of the public API (its name starts with an
upper case X509 not x509 as with internal interfaces), so changing
its semantics would introduce an incompatibility with applications
that rely on the old behaviour.
Well, bug fixes in general tend to introduce incompatibility :-)
I'm not yet claiming that this is a bug, but consider the following test
case:
1) Certificate that has an Authority Key Identifier extension (save as
file "testcert.pem"):
-----BEGIN CERTIFICATE-----
MIIBvzCCASigAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0
IENBMB4XDTE0MDUwMjA5MDI1OFoXDTE0MDYwMTA5MDI1OFowFDESMBAGA1UEAwwJ
VGVzdCBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCwnv66JvZTVaf
Z3tqMo5od80yv9J0rxUMlAPXFiRM3P/JgDjW5NVIt2Ryaqwd7qZFN1f0HpcQAM5m
SJsQpi8ZxbfGB9BIt7SgRuKdj5ntDX1WJ84gl4C8R2t75B8d0WrJBJUYL2XCOEnu
S0RpfxvLZryH8Pr48Wp8NM6gONAjgQIDAQABoyMwITAfBgNVHSMEGDAWgBQLHOwh
WWaA9y49g7bt77DLa5/RKjANBgkqhkiG9w0BAQsFAAOBgQB7Md75mT3aHcR1vyf7
q8t5+x2JzbXxY3bSF1eRreaC65luDGwHrwd8e6vsYQGfOL35Q9lz+6eJRQWFsLkV
LoILyOEJlfJIN2hX7ZOphTsQ4xhgUanBtQBh7a3if4ywF6YMS8XgBwCxXcmrndGm
OZLjSWhsx6spsyLl56iduRWtzQ==
-----END CERTIFICATE-----
2) Test program that loads the certificate and invokes
X509_check_akid() for the certificate with its own Authority Key
Identifier (all error checks omitted for brevity):
------------ snip ---------------
/*
* Test program for X509_check_akid()
*
* The program loads a certificate that has the
* "X509v3 Authority Key Identifier" and invokes X509_check_akid()
* with this authority key identifier and the certificate itself.
*/
#include <stdio.h>
#include <openssl/err.h>
#include <openssl/bio.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/pem.h>
int
main()
{
BIO *pem;
const char *file = "testcert.pem";
X509 *cert;
int akid_check;
pem = BIO_new(BIO_s_file());
BIO_read_filename(pem, file);
cert = PEM_read_bio_X509_AUX(pem, NULL, NULL, NULL);
X509_check_purpose(cert, -1, -1);
akid_check = X509_check_akid(cert, cert->akid);
printf("X509_check_akid result %d '%s'\n", akid_check,
X509_verify_cert_error_string(akid_check));
return 0;
}
------------------- snip ---------------
When compiled and executed with a current OpenSSL build from the
OpenSSL_1_0_2-stable branch the program prints:
X509_check_akid result 0 'ok'
It is hard to argue whether this is a bug as there's no documentation
what X509_check_akid() is actually supposed to do. Nevertheless I think
it's wrong that it identifies a certificate as it's own issuer although
it's not self-signed. As far as I understand fixing this borderline case
would not have an impact on the "normal" usage where the Authority Key
Identifier if a certificate is checked against a different certificate.
Stephan
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
