OpenSSL 111: authorityKeyIdentifier
Dirk Menstermann
noadsplease at web.de
Tue Mar 24 15:12:53 UTC 2020
Hi,
I’m using OpenSSL 1.1.1 to issue a certificate and include the AKI by defining
authorityKeyIdentifier = keyid,issuer:always
The issued certificate contains the AKI afterwards with 3 values:
KeyID: issuer's key id
Serial: issuer's serial
Issuer: the issuer’s issuer, not the issuer’s subject!
My expectation (maybe wrong) is that the serial and the issuer name belong to
the same X509 certificate that the key id belongs to.
The code is pretty clear:
static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
X509V3_CTX *ctx,
STACK_OF(CONF_VALUE) *values)
{
cert = ctx->issuer_cert;
// Code left out
if ((issuer && !ikeyid) || (issuer == 2)) {
isname = X509_NAME_dup(X509_get_issuer_name(cert));
serial = ASN1_INTEGER_dup(X509_get_serialNumber(cert));
if (!isname || !serial) {
X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,
X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS);
goto err;
}
}
}
Is this a bug or is my expectation wrong? Is there documented that these 3
values do not need to belong together?
Thanks
More information about the openssl-users
mailing list