[openssl-users] openssl is flexible when verifying
Yuting Chen
chenyt at cs.sjtu.edu.cn
Mon Apr 6 17:55:05 UTC 2015
Not sure about how to completely solve the problem. As the
function
X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx)
is called, crit is not actually used.
(e.g., in v3_purp.c, line 462)
x->akid =X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL);
If the value of crit can be retrieved, we may fix
function X509_check_issued (around line 701).
if(X509_NAME_cmp(X509_get_subject_name(issuer),
X509_get_issuer_name(subject)))
return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
x509v3_cache_extensions(issuer);
x509v3_cache_extensions(subject);
if(subject->akid)
{
int ret = X509_check_akid(issuer, subject->akid);
if (ret != X509_V_OK)
return ret;
}
+ else if (crit==-2) //subject has more than one akids
+ return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150406/f8d8dc7d/attachment.html>
More information about the openssl-users
mailing list