[openssl-users] openssl is flexible when verifying
chenyt at cs.sjtu.edu.cn
Mon Apr 6 17:55:05 UTC 2015
Not sure about how to completely solve the problem. As the
X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx)
is called, crit is not actually used.
(e.g., in v3_purp.c, line 462)
x->akid =X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL);
If the value of crit can be retrieved, we may fix
function X509_check_issued (around line 701).
int ret = X509_check_akid(issuer, subject->akid);
if (ret != X509_V_OK)
+ else if (crit==-2) //subject has more than one akids
+ return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openssl-users