Re: openssl ca sets wrong authorityKeyIdentifier
Michael Bell wrote: Hi, I found a bug in openssl ca. If you set authorityKeyIdentifier to keyid and issuer always then the keyid will be set correctly but the issuer is wrong. Example: Root-CA -- Sub-Level 1 CA -- Sub-Level 2 CA -- User If I issue a certificate for a user then the issuer of the CA-cert is the DN of the Root-CA. What do you mean here? Are you saying that the authorityKeyIdentifier in Sub-Level 2 CA issuer name is the root CA? If so that's correct because its telling you the issuer and serial number of the CA that issued it. I found a problem in two files: description deleted The i2v functions convert the internal for (C structure) into a stack of name+value pairs and are used to produce a human readable version of the extension. That's actually not connected with the way the authority key identifier is automatically generated. The code to do that is in v2i_AUTHORITY_KEYID(). Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: openssl ca sets wrong authorityKeyIdentifier
Dr S N Henson schrieb: Michael Bell wrote: Hi, I found a bug in openssl ca. If you set authorityKeyIdentifier to keyid and issuer always then the keyid will be set correctly but the issuer is wrong. Example: Root-CA -- Sub-Level 1 CA -- Sub-Level 2 CA -- User If I issue a certificate for a user then the issuer of the CA-cert is the DN of the Root-CA. What do you mean here? Are you saying that the authorityKeyIdentifier in Sub-Level 2 CA issuer name is the root CA? If so that's correct because its telling you the issuer and serial number of the CA that issued it. If the new cert is for a user then the authorityKeyIdentifier issuer must be the DN from Sub-Level 1 CA but the DN is from the Root-CA. The issuer of the CA-certificate of Sub-Level 2 CA is the Sub-Level 1 CA. The issuer and serial number of the CA that issued the Sublevel 1 CA must be from Sublevel 2 CA but OpenSSL use the DN of the Root-CA for the issuer. Michael -- --- Michael Bell Email (private): [EMAIL PROTECTED] Rechenzentrum - Datacenter Email: [EMAIL PROTECTED] Humboldt-University of Berlin Tel.: +49 (0)30-2093 2482 Unter den Linden 6 Fax: +49 (0)30-2093 2959 10099 Berlin Germany http://www.openca.org __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: openssl ca sets wrong authorityKeyIdentifier
Michael Bell wrote: Dr S N Henson schrieb: Michael Bell wrote: Hi, I found a bug in openssl ca. If you set authorityKeyIdentifier to keyid and issuer always then the keyid will be set correctly but the issuer is wrong. Example: Root-CA -- Sub-Level 1 CA -- Sub-Level 2 CA -- User If I issue a certificate for a user then the issuer of the CA-cert is the DN of the Root-CA. What do you mean here? Are you saying that the authorityKeyIdentifier in Sub-Level 2 CA issuer name is the root CA? If so that's correct because its telling you the issuer and serial number of the CA that issued it. If the new cert is for a user then the authorityKeyIdentifier issuer must be the DN from Sub-Level 1 CA but the DN is from the Root-CA. The issuer of the CA-certificate of Sub-Level 2 CA is the Sub-Level 1 CA. The issuer and serial number of the CA that issued the Sublevel 1 CA must be from Sublevel 2 CA but OpenSSL use the DN of the Root-CA for the issuer. I can't see how that can happen. The ca command only passes the issuing CA certificate to the extension routines. It does not have access to any other CA certificate. It fills in the authority key identifier by extracting the issuer name of that issuing authority and its serial number. Is the issuer name of the CA correct? If there's nothing obviously wrong can you send me an example of a user certificate exhibiting this behaviour and all the CA certificates too? Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: openssl ca sets wrong authorityKeyIdentifier
On 02-03-19 23:05:52 CET, Dr S N Henson wrote: I can't see how that can happen. The ca command only passes the issuing CA certificate to the extension routines. It does not have access to any other CA certificate. It fills in the authority key identifier by extracting the issuer name of that issuing authority and its serial number. but it seems that it indeed does happen. Is the issuer name of the CA correct? If there's nothing obviously wrong can you send me an example of a user certificate exhibiting this behaviour and all the CA certificates too? the user cert has the user CA's DN in the issuer DN (CN=User CA) and the root CA's DN in the authority key identifier DirName (CN=Test-CA (G4)), see the attached example. but the user cert's authority key identifier keyid is the user CA cert's subject key identifier and the user cert's authority key identifier serial is the user CA cert's serial. ((i ask myself) what's that X509v3 Authority Key Identifier exactly anyway...?) rj example.tar Description: Unix tar archive
Re: openssl ca sets wrong authorityKeyIdentifier
Robert Joop wrote: the user cert has the user CA's DN in the issuer DN (CN=User CA) and the root CA's DN in the authority key identifier DirName (CN=Test-CA (G4)), see the attached example. but the user cert's authority key identifier keyid is the user CA cert's subject key identifier and the user cert's authority key identifier serial is the user CA cert's serial. ((i ask myself) what's that X509v3 Authority Key Identifier exactly anyway...?) The extension is meant as a way of uniquely identifying the issuing authority of a certificate. The subject and issuer names don't have to be unique and this extension is to resolve ambiguity. Two ways to identify a certificate are by its subject key identifier extension or its issuer name and serial number. The relevant standards say that issuer name and serial number *must* be unique. What you've got in those certificates is exactly as it should be. For the end user certicate there is: X509v3 Authority Key Identifier: keyid:6B:2B:4B:20:1D:72:8F:1E:B7:9E:98:BC:6B:9F:D4:09:D7:EB:72:AD DirName:/C=DE/L=Berlin/O=Fraunhofer-Gesellschaft/OU=FOKUS/OU=PLATIN/CN=Test-CA (G4)[EMAIL PROTECTED] serial:02 If you then look at the CA that signed this certificate using: openssl x509 -in userCA\cacert.pem -noout -issuer -serial issuer= /C=DE/L=Berlin/O=Fraunhofer-Gesellschaft/OU=FOKUS/OU=PLATIN/CN=Test-CA (G4)[EMAIL PROTECTED] serial=02 it matches what you get above. Because this CA is signed by the root CA what you get in here is also the subject and issuer DNs of the root CA. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]