<div dir="ltr">I completely agree with Jeffrey's comments, <div>"Applications are not required to verify that </div><div>key identifiers match when performing </div><div>certification path validation." (RFC5280) </div><div>But when the certificate has two authority </div><div>key ids, openssl may take it as a certificate </div><div>having no authority key ids (I think the certificate </div><div>is partially parsed and verified).<div><br></div><div>From the source code of openssl, it does </div><div>match the ids, if available (in v3_purp.c).</div><div><div><br></div><div>if(X509_NAME_cmp(X509_get_subject_name(issuer),</div><div> X509_get_issuer_name(subject)))</div><div> return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;</div><div> x509v3_cache_extensions(issuer);</div><div> x509v3_cache_extensions(subject);</div><div> </div><div> if(subject->akid)</div><div> {</div><div> int ret = X509_check_akid(issuer, subject->akid);</div><div> if (ret != X509_V_OK)</div><div> return ret;</div><div> }</div></div><div><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Apr 5, 2015 at 7:47 PM, Yuting Chen <span dir="ltr"><<a href="mailto:chenyt@cs.sjtu.edu.cn" target="_blank">chenyt@cs.sjtu.edu.cn</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Read a little code of openssl, and found that in <div>the function </div><div><span style="color:rgb(0,0,0);background-color:rgb(202,215,254)">X509_check_issued(X509 *issuer, X509 *subject), </span></div><div><font color="#000000"><br></font></div><div><font color="#000000">The statement </font></div><div><span style="color:rgb(0,0,0);background-color:rgb(202,215,254)">x509v3_cache_extensions(subject);</span></div><div><font color="#000000">is called for four times, but one certificate did not </font></div><div><span style="color:rgb(0,0,0)">get the subject keyid (as the block of </span><span style="color:rgb(0,0,0);background-color:rgb(202,215,254)">if(subject->akid)</span><span style="color:rgb(0,0,0)"> is </span></div><div><span style="color:rgb(0,0,0)">called for three times). Seems that if the certificate</span></div><div><span style="color:rgb(0,0,0)">has two key ids, the verification is performed just on </span></div><div><span style="color:rgb(0,0,0)">the basis of their names (supposing that </span></div><div><span style="color:rgb(0,0,0)">subject->akid==NULL). </span></div><div><span style="color:rgb(0,0,0)"><br></span></div><div><span style="color:rgb(0,0,0)">Not so sure about the </span><span style="color:rgb(0,0,0)">correctness of my </span></div><div><span style="color:rgb(0,0,0)">reasoning. </span><span style="color:rgb(0,0,0)">It could be better if we can discard </span></div><div><span style="color:rgb(0,0,0)">these </span><span style="color:rgb(0,0,0)">certificates, as they will disturb</span><span style="color:rgb(0,0,0)"> the </span></div><div><span style="color:rgb(0,0,0)">verification. </span></div><div><div><br></div></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Apr 5, 2015 at 2:26 PM, Yuting Chen <span dir="ltr"><<a href="mailto:chenyt@cs.sjtu.edu.cn" target="_blank">chenyt@cs.sjtu.edu.cn</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I checked some other certificates, and found that some non self-signed certificates having duplicate extension instances can be verified by openssl. I guess openssl is quite gentle when validating these malformed certificates.</div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Apr 5, 2015 at 1:55 PM, Yuting Chen <span dir="ltr"><<a href="mailto:chenyt@cs.sjtu.edu.cn" target="_blank">chenyt@cs.sjtu.edu.cn</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi, when I verify an X509 cert against a ca certificate, I found that the cert can pass validation even if it has two instances of X509v3 Basic Constraints, X509v3 Subject Key ids, and authority key ids. Seems that some issues are not important in verification. (I guess one reason is that one subject key id is the same as the authority key id, and thus openssl may regard it as a self-signed certificate? ) Should this be forbidden?<div>command: openssl verify -x509_strict -verbose -CAfile myroot.pem mycert.pem</div></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>