[openssl.org #2879] Bug report - X509_check_akid() incorrectly handles dirName:
Using: Windows 7 Professional SP1 openssl-1.0.0g Build: perl Configure debug-VC-WIN64A no-asm --prefix=c:\openssl ms\do_win64a nmake -f ms\nt.mak source file: openssl-1.0.0g\crypto\x509v3\v3_purp.c function: int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid) line 762: if(nm X509_NAME_cmp(nm, X509_get_issuer_name(issuer))) ^^ I believe this should be: if(nm X509_NAME_cmp(nm, X509_get_subject_name(issuer))) ^^^ I have tested and verified this fix. Best regards, --David Shambroom -- W. David Shambroom, Ph.D. Security Architect, InterSystems Corporation w...@intersystems.com; 617.551.2143; fax: 617.494.1631 __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-dev] [openssl.org #2879] Bug report - X509_check_akid() incorrectly handles dirName:
Thank you for the correction. Obviously the the authorityCertIssuer must correspond to the authorityCertSerialNumber. Please close this ticket. On 9/13/2012 4:40 AM, Erwann Abalea via RT wrote: Bonjour, The goal of this function is to determine if a given authorityKeyIdentifier extension matches an issuer certificate (issuer=authority). The AKI extension can contain 3 elements: - keyIdentifier - authorityCertIssuer - authorityCertSerialNumber (X.509 mandates that the last 2 MUST be present together, this constraint is not mentioned in RFC5280) The first element is to be compared with the issuer's subjectKeyIdentifier, is present. The 2nd and 3rd element are to be compared with the issuer's issuerName and issuer' serialNumber, respectively. They are here to uniquely identify a certificate, and a certificate is uniquely identified by its issuer's name and its own serial number. Therefore the fix is incorrect. If you've got a certificate chain that doesn't validate the AKI with the last 2 elements, it surely means your certificates are improperly constructed. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2879] AutoReply: Bug report - X509_check_akid() incorrectly handles dirName:
Please close this ticket. It is wrong. On 9/13/2012 3:15 AM, The default queue via RT wrote: Greetings, This message has been automatically generated in response to the creation of a trouble ticket regarding: Bug report - X509_check_akid() incorrectly handles dirName:, a summary of which appears below. There is no need to reply to this message right now. Your ticket has been assigned an ID of [openssl.org #2879]. Please include the string: [openssl.org #2879] in the subject line of all future correspondence about this issue. To do so, you may reply to this message. Thank you, r...@openssl.org - Using: Windows 7 Professional SP1 openssl-1.0.0g Build: perl Configure debug-VC-WIN64A no-asm --prefix=c:\openssl ms\do_win64a nmake -f ms\nt.mak source file: openssl-1.0.0g\crypto\x509v3\v3_purp.c function: int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid) line 762: if(nm X509_NAME_cmp(nm, X509_get_issuer_name(issuer))) ^^ I believe this should be: if(nm X509_NAME_cmp(nm, X509_get_subject_name(issuer))) ^^^ I have tested and verified this fix. Best regards, --David Shambroom __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #1704] bug report, Windows VC-32 debug build
In util\pl\VC-32.pl, all instances of $dbg_cflags need to include the switch /Zi. Tested successfully with 0.9.8d and Visual C++ 8. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
