Re: [openssl.org #2879] AutoReply: Bug report - X509_check_akid() incorrectly handles dirName:
Please close this ticket. It is wrong. On 9/13/2012 3:15 AM, The default queue via RT wrote: > > Greetings, > > This message has been automatically generated in response to the > creation of a trouble ticket regarding: > "Bug report - X509_check_akid() incorrectly handles dirName:", > a summary of which appears below. > > There is no need to reply to this message right now. Your ticket has been > assigned an ID of [openssl.org #2879]. > > Please include the string: > > [openssl.org #2879] > > in the subject line of all future correspondence about this issue. To do so, > you may reply to this message. > > Thank you, > r...@openssl.org > > - > Using: > Windows 7 Professional SP1 > openssl-1.0.0g > > Build: > perl Configure debug-VC-WIN64A no-asm --prefix=c:\openssl > ms\do_win64a > nmake -f ms\nt.mak > > source file: > openssl-1.0.0g\crypto\x509v3\v3_purp.c > > function: > int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid) > > line 762: > if(nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer))) > ^^ > I believe this should be: > if(nm && X509_NAME_cmp(nm, X509_get_subject_name(issuer))) > ^^^ > I have tested and verified this fix. > > Best regards, > --David Shambroom > __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-dev] [openssl.org #2879] Bug report - X509_check_akid() incorrectly handles dirName:
Thank you for the correction. Obviously the the authorityCertIssuer must correspond to the authorityCertSerialNumber. Please close this ticket. On 9/13/2012 4:40 AM, Erwann Abalea via RT wrote: Bonjour, The goal of this function is to determine if a given authorityKeyIdentifier extension matches an issuer certificate (issuer=authority). The AKI extension can contain 3 elements: - keyIdentifier - authorityCertIssuer - authorityCertSerialNumber (X.509 mandates that the last 2 MUST be present together, this constraint is not mentioned in RFC5280) The first element is to be compared with the issuer's subjectKeyIdentifier, is present. The 2nd and 3rd element are to be compared with the issuer's issuerName and issuer' serialNumber, respectively. They are here to uniquely identify a certificate, and a certificate is uniquely identified by its issuer's name and its own serial number. Therefore the fix is incorrect. If you've got a certificate chain that doesn't validate the AKI with the last 2 elements, it surely means your certificates are improperly constructed. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
how to check the whether openssl which is built for has the all chiper suite required
Hi, I have added the AES-ECC-CCM chiper suite openssl downloaded from this site https://github.com/aluvalassuman/OpenSSL1.0.1cForAndroid . after I ran androi-ndk build and I got the 4 shared libraries *libssl.so,libcrypto.so, openssl,ssltest* . now I have to check the chiper suite which I have added in to that .. Is there some way to check ? Rgds Indu
Re: [openssl-dev] [openssl.org #2879] Bug report - X509_check_akid() incorrectly handles dirName:
Thank you for the correction. Obviously the the authorityCertIssuer must correspond to the authorityCertSerialNumber. Please close this ticket. On 9/13/2012 4:40 AM, Erwann Abalea via RT wrote: > Bonjour, > > The goal of this function is to determine if a given > authorityKeyIdentifier extension matches an issuer certificate > (issuer=authority). > > The AKI extension can contain 3 elements: >- keyIdentifier >- authorityCertIssuer >- authorityCertSerialNumber > > (X.509 mandates that the last 2 MUST be present together, this > constraint is not mentioned in RFC5280) > > The first element is to be compared with the issuer's > subjectKeyIdentifier, is present. > > The 2nd and 3rd element are to be compared with the issuer's issuerName > and issuer' serialNumber, respectively. > They are here to uniquely identify a certificate, and a certificate is > uniquely identified by its issuer's name and its own serial number. > > Therefore the fix is incorrect. If you've got a certificate chain that > doesn't validate the AKI with the last 2 elements, it surely means your > certificates are improperly constructed. > __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-dev] [openssl.org #2879] Bug report - X509_check_akid() incorrectly handles dirName:
Bonjour, The goal of this function is to determine if a given authorityKeyIdentifier extension matches an issuer certificate (issuer=authority). The AKI extension can contain 3 elements: - keyIdentifier - authorityCertIssuer - authorityCertSerialNumber (X.509 mandates that the last 2 MUST be present together, this constraint is not mentioned in RFC5280) The first element is to be compared with the issuer's subjectKeyIdentifier, is present. The 2nd and 3rd element are to be compared with the issuer's issuerName and issuer' serialNumber, respectively. They are here to uniquely identify a certificate, and a certificate is uniquely identified by its issuer's name and its own serial number. Therefore the fix is incorrect. If you've got a certificate chain that doesn't validate the AKI with the last 2 elements, it surely means your certificates are improperly constructed. -- Erwann ABALEA - yachtitropicomythivorotrièdre: triangle des Bermudes Le 13/09/2012 09:15, David Shambroom via RT a écrit : > Using: > Windows 7 Professional SP1 > openssl-1.0.0g > > Build: > perl Configure debug-VC-WIN64A no-asm --prefix=c:\openssl > ms\do_win64a > nmake -f ms\nt.mak > > source file: > openssl-1.0.0g\crypto\x509v3\v3_purp.c > > function: > int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid) > > line 762: > if(nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer))) > ^^ > I believe this should be: > if(nm && X509_NAME_cmp(nm, X509_get_subject_name(issuer))) > ^^^ > I have tested and verified this fix. > > Best regards, > --David Shambroom __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-dev] [openssl.org #2879] Bug report - X509_check_akid() incorrectly handles dirName:
Bonjour, The goal of this function is to determine if a given authorityKeyIdentifier extension matches an issuer certificate (issuer=authority). The AKI extension can contain 3 elements: - keyIdentifier - authorityCertIssuer - authorityCertSerialNumber (X.509 mandates that the last 2 MUST be present together, this constraint is not mentioned in RFC5280) The first element is to be compared with the issuer's subjectKeyIdentifier, is present. The 2nd and 3rd element are to be compared with the issuer's issuerName and issuer' serialNumber, respectively. They are here to uniquely identify a certificate, and a certificate is uniquely identified by its issuer's name and its own serial number. Therefore the fix is incorrect. If you've got a certificate chain that doesn't validate the AKI with the last 2 elements, it surely means your certificates are improperly constructed. -- Erwann ABALEA - yachtitropicomythivorotrièdre: triangle des Bermudes Le 13/09/2012 09:15, David Shambroom via RT a écrit : Using: Windows 7 Professional SP1 openssl-1.0.0g Build: perl Configure debug-VC-WIN64A no-asm --prefix=c:\openssl ms\do_win64a nmake -f ms\nt.mak source file: openssl-1.0.0g\crypto\x509v3\v3_purp.c function: int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid) line 762: if(nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer))) ^^ I believe this should be: if(nm && X509_NAME_cmp(nm, X509_get_subject_name(issuer))) ^^^ I have tested and verified this fix. Best regards, --David Shambroom __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2879] Bug report - X509_check_akid() incorrectly handles dirName:
Using: Windows 7 Professional SP1 openssl-1.0.0g Build: perl Configure debug-VC-WIN64A no-asm --prefix=c:\openssl ms\do_win64a nmake -f ms\nt.mak source file: openssl-1.0.0g\crypto\x509v3\v3_purp.c function: int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid) line 762: if(nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer))) ^^ I believe this should be: if(nm && X509_NAME_cmp(nm, X509_get_subject_name(issuer))) ^^^ I have tested and verified this fix. Best regards, --David Shambroom -- W. David Shambroom, Ph.D. Security Architect, InterSystems Corporation w...@intersystems.com; 617.551.2143; fax: 617.494.1631 __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org