[openssl-dev] [openssl.org #3886] [BUG] [PATCH] verify fails for 3-level cert chain when using X509v3 Authority Key Identifier
John Lofgren via RT
rt at openssl.org
Sat May 30 07:48:43 UTC 2015
I believe I have pinpointed a typo-error that may be the cause of one or
two other outstanding bugs related to certificate chain validation. This
bug only occurs in a chain of certs at least 3 deep when the certs use
the X509v3 Authority Key Identifier extension.
I am attaching a chain of 3 certs that verifies using the Windows
Certificate Manager, but fails to verify in versions 1.0.1, 1.0.1c and
1.0.1m.
Example failure command:
openssl verify -CAfile openssl-verify-chain-bug-CA.crt -untrusted
openssl-verify-chain-bug-IM-CA.crt openssl-verify-chain-bug-CS.crt
If have also provided a one line patch to crypto/x509v3/v3_purp.c. I
believe the error is due to a simple typo. The function X509_check_akid()
is meant to compare the keyID, serial number, and issuer name between a
cert and its issuer cert. The keyID and serial number compares are working
correctly. However, when comparing the issuer name, instead of comparing
the cert's issuer name to the issuer cert's subject name, it is comparing
to the issuer cert's *issuer* name. i.e. instead of comparing to the
parent name, it is comparing to the grandparent name.
John Lofgren
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openssl_bug.zip
Type: application/zip
Size: 4148 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150530/fc4a76ba/attachment.zip>
More information about the openssl-dev
mailing list