[openssl-users] openssl is flexible when verifying

Yuting Chen chenyt at cs.sjtu.edu.cn
Mon Apr 6 05:01:55 UTC 2015 

I completely agree with Jeffrey's comments,
"Applications are not required to verify that
key identifiers match when performing
certification path validation." (RFC5280)
But when the certificate has two authority
key ids, openssl may take it as a certificate
having no authority key ids (I think the certificate
is partially parsed and verified).

>From the source code of openssl, it does
match the ids, if available (in v3_purp.c).

if(X509_NAME_cmp(X509_get_subject_name(issuer),
     X509_get_issuer_name(subject)))
         return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
     x509v3_cache_extensions(issuer);
     x509v3_cache_extensions(subject);

    if(subject->akid)
     {
         int ret = X509_check_akid(issuer, subject->akid);
         if (ret != X509_V_OK)
            return ret;
     }


On Sun, Apr 5, 2015 at 7:47 PM, Yuting Chen <chenyt at cs.sjtu.edu.cn> wrote:

> Read a little code of openssl, and found that in
> the function
> X509_check_issued(X509 *issuer, X509 *subject),
>
> The statement
> x509v3_cache_extensions(subject);
> is called for four times, but one certificate did not
> get the subject keyid (as the block of if(subject->akid) is
> called for three times). Seems that if the certificate
> has two key ids, the verification is performed just on
> the basis of their names (supposing that
> subject->akid==NULL).
>
> Not so sure about the correctness of my
> reasoning. It could be better if we can discard
> these certificates, as they will disturb the
> verification.
>
>
> On Sun, Apr 5, 2015 at 2:26 PM, Yuting Chen <chenyt at cs.sjtu.edu.cn> wrote:
>
>> I checked some other certificates, and found that some non self-signed
>> certificates having duplicate extension instances can be verified by
>> openssl. I guess openssl is quite gentle when validating these malformed
>> certificates.
>>
>> On Sun, Apr 5, 2015 at 1:55 PM, Yuting Chen <chenyt at cs.sjtu.edu.cn>
>> wrote:
>>
>>> Hi, when I verify an X509 cert against a ca certificate, I found that
>>> the cert can pass validation even if it has two instances of X509v3 Basic
>>> Constraints, X509v3 Subject Key ids, and authority key ids. Seems that some
>>> issues are not important in verification. (I guess one reason is that one
>>> subject key id is the same as the authority key id, and thus openssl may
>>> regard it as a self-signed certificate? ) Should this be forbidden?
>>> command:  openssl verify -x509_strict -verbose -CAfile  myroot.pem
>>> mycert.pem
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150405/7be2a7df/attachment.html>

More information about the openssl-users mailing list