[openssl-dev] [openssl.org #3886] [BUG] [PATCH] verify fails for 3-level cert chain when using X509v3 Authority Key Identifier

[Erwann Abalea]

Bonjour,

> Le 30 mai 2015 à 09:48, John Lofgren via RT <rt at openssl.org> a écrit :
> 
> I believe I have pinpointed a typo-error that may be the cause of one or
> two other outstanding bugs related to certificate chain validation. This
> bug only occurs in a chain of certs at least 3 deep when the certs use
> the X509v3 Authority Key Identifier extension.
> 
> I am attaching a chain of 3 certs that verifies using the Windows
> Certificate Manager, but fails to verify in versions 1.0.1, 1.0.1c and
> 1.0.1m.
> 
> Example failure command:
> openssl verify -CAfile openssl-verify-chain-bug-CA.crt -untrusted
> openssl-verify-chain-bug-IM-CA.crt openssl-verify-chain-bug-CS.crt

This chain is malformed.
In -bug-CS.crt certificate, the AKI.issuername should be "C=US, O=OpenSSL, CN=openssl verify chain bug Root CA » instead of « C=US, O=OpenSSL, CN=openssl verify chain bug Intermediate CA ».

Microsoft doesn’t choke on it because this extension is only a helper and MUST NOT be used to (in)validate a certificate chain.

> If have also provided a one line patch to crypto/x509v3/v3_purp.c. I
> believe the error is due to a simple typo. The function X509_check_akid()
> is meant to compare the keyID, serial number, and issuer name between a
> cert and its issuer cert. The keyID and serial number compares are working
> correctly. However, when comparing the issuer name, instead of comparing
> the cert's issuer name to the issuer cert's subject name, it is comparing
> to the issuer cert's *issuer* name.  i.e. instead of comparing to the
> parent name, it is comparing to the grandparent name.

AKI is a helper to identify the issuer certificate. A certificate can uniquely be specified by its issuer name and serial number. Therefore, the AKI MUST contain the issuer’s issuer name and the issuer’s serial number.